Session Cookie without SameSite Flag

Impact: Medium

Description

The absence of the SameSite flag in session cookies leaves them vulnerable to cross-site request forgery (CSRF) attacks, where unauthorized actions are performed on behalf of a user. Without the SameSite flag, session cookies are susceptible to being included in cross-origin requests, potentially leading to CSRF exploits.

Recommendation

To enhance security, always set the SameSite flag for session cookies, specifying the appropriate value based on the application’s requirements. This helps prevent unauthorized access to cookies and protects against CSRF attacks by restricting their inclusion in cross-origin requests.

References

CWE-1275
CWE-16
MDN Web Docs: SameSite cookie
OWASP 2021-A5
OWASP: SameSite
OWASP: Session Management Cheat Sheet

👉 You might also like:

Session Cookie without SameSite Flag

Description

Recommendation

References

Cookie without SameSite Flag - Vulnerability

Session Cookie without HttpOnly Flag - Vulnerability

Session Cookie without Secure Flag - Vulnerability

Cookie without HttpOnly Flag - Vulnerability

Use SmartScanner Free version to test for this issue