Cookie anti-CSRF flag without SameSite flag

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 PCI v3.2-6.5.9 OWASP PC-C1 CAPEC-62 CWE-352 HIPPA-164.306(a) ISO27001-A.14.2.5 WASC-9

Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-

  1. The server asks your browser to set a cookie.
  2. It gives a name, value and other parameters.
  3. Browser stores the data in disk or memory. This feature depends on the cookie type.

The ‘anti-CSRF’ flag can be accessed easily by the attacker using some scripts. The attacker can successfully trick a victim into sending a valid request. Because of this, the server will fail to determine the attacker because it is not validating the origin. Using SamSite Cookie attribute, a developer can instruct all the browsers accessing the website to control if the cookies are sent along with the request.


Using this vulnerability, an attacker can:-

  • redirect the user to a malicious site to steal information/data.
  • show user false data which will, in turn, affect the credibility of the website.

Mitigation / Precaution

Beagle recommends setting the flag to lax and strict for maximum security.

The ‘strict’ attribute prevents a cookie from being sent by the browser to the target site in all cross-site browsing context.

        Set-Cookie: CookieName=CookieValue; SameSite=Strict;


The default ‘lax’ value provides a proper balance between security and usability for websites. This flag is used by applications that maintain a user’s logged-in session.

        Set-Cookie: CookieName=CookieValue; SameSite=Lax;


Related Articles