SameSite

2018-12-14T20:46:25Z

Ayesh: Added information for PHP 7.3 new SameSite cookie support with a link to official PHP.net page and a my own article with more examples.

== Overview ==

SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are <code>lax</code> or <code>strict</code>.

The <code>strict</code> value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link. For example, for a GitHub-like website this would mean that if a logged-in user follows a link to a private GitHub project posted on a corporate discussion forum or email, GitHub will '''not''' receive the session cookie and the user will not be able to access the project.

A bank website however most likely doesn't want to allow any transactional pages to be linked from external sites so the <code>strict</code> flag would be most appropriate here.

The default <code>lax</code> value provides a reasonable balance between security and usability for websites that want to maintain user's logged-in session after the user arrives from an external link. In the above GitHub scenario, the session cookie would be allowed when following a regular link from an external website while blocking it in CSRF-prone request methods (e.g. <code>POST</code>).

As of November 2017 the SameSite attribute is implemented in Chrome, Firefox, and Opera.

[http://php.net/manual/en/function.setcookie.php PHP 7.3] has support for SameSite cookies for [https://ayesh.me/PHP-Samesite-cookies custom cookies and session cookies].

== References ==

* https://tools.ietf.org/html/draft-west-first-party-cookies-07
* https://caniuse.com/#search=samesite
* http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/

OWASP - User contributions [en]

SameSite