SameSite Cookie attribute?

Ivan Bütler
Dec 5, 2017 · 6 min read

December 4th, 2017, Updated April 1st, 2019 (fixing demo page)

Introduction

Example with SameSite:
Set-Cookie: jsessionid=oIZEL75SLnw; HttpOnly; Secure; SameSite=Strict

If not, please read this brief intro and follow the little quick and dirty demo for your reference. Please make sure you do the demo with Firefox and Chrome or your other preferred browser. Compare the results. Use the developer tools for observing the network stack.

Definition by OWASP

Example Use-Case

Before SameSite, the authenticated victim clicking on the prepared xsrf page would then execute the transaction. This is, because the browser has a session cookie with the e-banking and would therefore add the session cookie to the e-banking transaction request. But what if the browser would not add the session cookie? This is exactly what SameSite does. A browser is not adding the cookie (session) to an already authenticated web site, if the link derives from an external site. In case of SameSite=Strict, the browser will NOT ADD the cookie in general. If SameSite=Lax, the browser is sending the cookie if the user clicks on a top level URL. Do the demo below and understand the difference between Strict and Lax.

Demo Page

Image for post
Image for post
Demo Page

Testing with Chrome

Step 1: Visit the first demo page

Image for post
Image for post
Set-Cookies using Apache mod_headers

Please check if the cookies have been set in Chrome. Use the builtin developer tools in the “Application” tab. See the image below.

Image for post
Image for post

Cookie MyBamBut without SameSite attribute (as it was the last 10 years)
Cookie MyBamButNone with SameSite=None
Cookie MyBamButStrict with SameSite=Strict
Cookie MyBamButLax with SameSite=Lax

For me, Chrome was accepting three of four cookies. The cookie that has SameSite set to None was rejected.

Step 2: Review the HTML code of the second demo page

Image for post
Image for post

As you can see, the second page is having a top level URL (the a href) that points to the first page and additionally is loading an image as <img src> from the first page. I must admit, there is no image on the first page, but this does not change how the browser behaves. It is just an extremely simple way of having something referenced from the first page.

Step 3: Visit the second demo page

Feedback by Rafał Podlipny: In latest chrome cookies sent from the second site was not shown in network tab. Here is explained why, and how to bring it back (at one’s peril).

Image for post
Image for post
second demo page

As you can see in the picture above, Chrome is only adding the cookie without the SameSite attribute set. The SameSite=Strict and SameSite=Lax cookies were not sent to the first demo page. Cool — this is what you want. A cool xsrf protection.

Step 4: Follow the link in the second demo page

Image for post
Image for post

In the picture below you can see what Cookies have been sent to the first demo page when clicking on a top level URL.

Image for post
Image for post

Chrome added MyBamButLax to the HTTP request to the first demo page. But the MyBamButStrict has never been sent to the first demo page. Thus, setting SameSite=Strict is really denying xsrf attacks.

Conclusion

But keep in mind possible drawbacks. If you have your company wiki page that links to your company SAP portal, you Social Media platform or to other company websites, the SameSite=Strict would probably not being accepted by your user base. Users would complain that they cannot use wiki links any more and must re-authenticate whenever they use the wiki portal.

Furthermore, the SameSite attribute is not yet implemented in all major browser versions. As of November 2017 the SameSite attribute is implemented in Chrome, Firefox, and Opera.

Thank You

Regards, Ivan Bütler
CEO Compass Security
www.compass-security.com

Acknowledgement

Unfortunately Chrome since v. 65 does not longer support setting cookie by <meta> tag… You could modify the article to warn readers about it, or rewrite setting cookies to javascript (which involves additional friction for the reader to understand the topic).

That’s why I changed the demo and I am using now the Apache mod_headers approach for setting the cookies. This should work in Firefox, Chrome and any other browser. Thank you!

Compass Security

Swiss Ethical Hacking Stories

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store