Description
The absence of the SameSite flag in cookies leaves them vulnerable to cross-site request forgery (CSRF) attacks, where unauthorized actions are performed on behalf of a user. Setting the SameSite flag with an appropriate value prevents browsers from sending cookies in cross-origin requests, thereby mitigating the risk of CSRF attacks.
Recommendation
To enhance security, always set the SameSite flag for cookies, specifying the appropriate value based on the application’s requirements. This helps prevent unauthorized access to cookies and protects against CSRF attacks.
References
- OWASP: SameSite
- OWASP: Session Management Cheat Sheet
- MDN Web Docs: SameSite cookie
- CWE-1275
- CWE-16
- OWASP 2021-A5