Session Cookie without SameSite Flag
Impact: Medium
Description
The absence of the SameSite
flag in session cookies leaves them vulnerable to cross-site request forgery (CSRF) attacks, where unauthorized actions are performed on behalf of a user. Without the SameSite
flag, session cookies are susceptible to being included in cross-origin requests, potentially leading to CSRF exploits.
Recommendation
To enhance security, always set the SameSite
flag for session cookies, specifying the appropriate value based on the application’s requirements. This helps prevent unauthorized access to cookies and protects against CSRF attacks by restricting their inclusion in cross-origin requests.
References
- CWE-1275
- CWE-16
- MDN Web Docs: SameSite cookie
- OWASP 2021-A5
- OWASP: SameSite
- OWASP: Session Management Cheat Sheet
👉 You might also like:
Cookie without SameSite Flag - Vulnerability
Session Cookie without HttpOnly Flag - Vulnerability
Session Cookie without Secure Flag - Vulnerability
Cookie without HttpOnly Flag - Vulnerability
Last updated on May 13, 2024