The New Definition of how Cookies should be sent - SameSite-Cookie

Few minutes ago, I stumbled over an article written by a Swedish named Chloe, which seemed to be saying goodbye to CSRF (Cross-Site Request Forgery) attacks, for programmer newbies who don't already know what CSRF means and what it does, please indulge me to enlighten you a little.

According to the book "Flask Web Development" written by Miguel Grinberg, a CRSF is an
attack that occurs when a malicious website sends requests to a different website on which the victim is logged in. Probably to steal some information or otherwise, so in other to prevent this you need a CSRF protection.

SameSite-Cookies to the rescue
SameSite-Cookies is a security mechanism developed by Google which is the best possible solution to CSRF attacks though not profound, it is currently available on Chrome-dev(51.0.2704.4) you can read more on this here.

How to implement SameSite-Cookies
In order for you to implement SameSite-Cookies on your website, you obviously need to use it's syntax, set the Set-Cookie field to SameSite which requires a value (which can be ignored if no value is set), those values are usually Lax and Strict. You can read more about them here

SameSite syntax:
SameSite=<value>

Example:
SameSite=Lax

More about Strict attribute value
According to the example given by Chloe;

If a user clicked(GET) on a link on reddit.com leading to facebook.com and facebook.com uses Strict-samesite-cookies the user will not be logged in on facebook.com because the browser will not allow cookies to be sent from domain A to domain B. However, this is less user-friendly because it also tries to protect a CSRF attacks even on a GET request, which just as the name implies it strictly protects all CSRF attacks.

More about Lax attribute value
Lax which might also imply relax! is the solution to the above problem, as it stops cookies from being sent from dangerous request methods such as POST, Chloe's example gives a better understanding to this;

Example 1:
If a user clicked(GET) on a link on reddit.com leading to facebook.com and facebook.com uses Lax-samesite-cookies the user will be logged in on facebook.com because the browser do allow to send cookies from domain A to domain B.

Example 2:
If a user submitted(POST) a form on reddit.com and the target is facebook.com and is using Lax-samesite-cookies the browser will not allow to send cookies from domain A to domain B.

<BEWARE>
Lax is the reason SameSite-Cookies security mechanism is not profound  because it does not give full protection against CSRF attacks, for what it's worth cookies could still be sent over cross-domain which can be dangerous. It's always a good idea to use Lax with caution.

For more details go read the draft

Share on Google Plus

About Unknown

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.