This article is a part of our Web Security Knowledge Base (back to index)Scan Your Web App Now
Why Cookie Without SameSite Attribute can be dangerous
Cookie Without SameSite Attribute can lead to a Cross-site Request Forgery (CSRF) attack.
“SameSite” attribute allows to declare whether the cookie should be restricted to a first-party or same-site context. Meaning that all the cookies without the “SameSite” attribute would be added to any requests initiated to any other website. This allows attackers to abuse sessions belonging to an authorized user. This browser behavior can also be misused for other purposes like tracking users or advertising.
How to fix Cookie Without SameSite Attribute
Developers can instruct browsers to control if cookies should be sent along with requests initiated by third-party websites. “SameSite” attribute on a cookie provides three ways to control its behavior:
Lax - Cookies are allowed to be sent along with top-level navigations. This is the default value in modern browsers.
Strict - Cookies will be sent only in a first-party context.
None - Cookies will be sent in all contexts. None requires the “Secure” attribute in latest browser versions.
How does ScanRepeat report Cookie Without SameSite Attribute
ScanRepeat analyzes the Cookie header of every HTTP response received during the scan. It reports all occurrences of cookies that have the “SameSite” attribute missing or that don’t have a valid value for that attribute. ScanRepeat also provides urls of HTTP requests which led to Cookie Without SameSite Attribute in responses.
Would you like to test your application now against this problem? Sign up for our free trialScan Your Web App Now