SameSite Cookie Not Implemented

Cookies are typically sent to third parties in cross origin requests. This can be abused to do CSRF attacks. Recently a new cookie attribute named SameSite was proposed to disable third-party usage for some cookies, to prevent CSRF attacks.

Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

The server can set a same-site cookie by adding the SameSite=... attribute to the Set-Cookie header. There are three possible values for the SameSite attribute:

• Lax: In this mode, the cookie will only be sent with a top-level get request.

  Set-Cookie: key=value; SameSite=Lax

• Strict: In this mode, the cookie will not be sent with any cross-site usage even if the user follows a link to another website.

  Set-Cookie: key=value; SameSite=Strict

• None: In this mode, the cookie will be sent with the cross-site requests. Cookies with SameSite=None must also specify the Secure attribute to transfer them via a secure context. Setting a SameSite=None cookie without the Secure attribute will be rejected by the browsers.
  

  Set-Cookie: key=value; SameSite=None; Secure

• Understanding Cookie Poisoning Attacks
• What Is Session Hijacking: Your Quick Guide to Session Hijacking Attacks
• SameSite Cookies by Default in Chrome 76 and Above
• Introducing the Security of Cookies Whitepaper
• Cross Site Cookie Manipulation