Cookies SameSite flag invalid

Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-

1. The server asks your browser to set a cookie.
2. It gives a name, value and other parameters.
3. Browser stores the data in disk or memory. This feature depends on the cookie type.

SameSite prevents a browser from causing cross-site scripting attacks. The main goal of this flag is to reduce the chance of cross-origin information leakage to zero. It additionally provides some protection against attacks like cross-site request forgery attacks.

The goals of the SameSite flag are to Prevent:

• cross-origin timing attacks
• cross-origin script inclusion
• CSRF
• limited privacy protection

The possible values for this flag are lax or strict.

Impact

Using this vulnerability, an attacker can:-

• redirect the user to a malicious site to steal information/data.
• show user false data which will, in turn, affect the credibility of the website.

Mitigation / Precaution

Beagle recommends setting the flag to lax and strict for maximum security. The ‘strict’ attribute prevents a cookie from being sent by the browser to the target site in all cross-site browsing context. The default ‘lax’ value provides a proper balance between security and usability for websites. This flag is used by applications that maintain a user’s logged-in session.

Written by

Nash N Sulthan

Cyber Security Lead Engineer