Cookie without SameSite Flag
Impact: Low
Description
The absence of the SameSite
flag in cookies leaves them vulnerable to cross-site request forgery (CSRF) attacks, where unauthorized actions are performed on behalf of a user. Setting the SameSite
flag with an appropriate value prevents browsers from sending cookies in cross-origin requests, thereby mitigating the risk of CSRF attacks.
Recommendation
To enhance security, always set the SameSite
flag for cookies, specifying the appropriate value based on the application’s requirements. This helps prevent unauthorized access to cookies and protects against CSRF attacks.
References
- CWE-1275
- CWE-16
- MDN Web Docs: SameSite cookie
- OWASP 2021-A5
- OWASP: SameSite
- OWASP: Session Management Cheat Sheet
👉 You might also like:
Session Cookie without SameSite Flag - Vulnerability
Cookie without HttpOnly Flag - Vulnerability
Cookie without Secure Flag - Vulnerability
Session Cookie without HttpOnly Flag - Vulnerability
Last updated on May 13, 2024