Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use the SameSite attribute of Cookie. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

Starting with Chrome 51, a new SameSite attribute has been added to the browser's Cookie to prevent CSRF attacks and user tracking.

What is a CSRF attack?

Cookie is often used to store users' identity information, and malicious websites can try to forge HTTP requests with correct Cookie, which is called CSRF attacks.

For example, a user logs in to the bank's website http://your-bank.com and a Cookie is sent from the bank server.

Set-Cookie:id=a3fWa

The user later visited the malicious website http://malicious.com with a form on it.

...

Once the user is tricked into sending this form, the bank website will receive a request with the correct Cookie. To prevent this attack, forms typically come with a random token that tells the server that this is a real request.

...

The Cookie that this kind of third-party website guides sends out, is called third-party Cookie. In addition to being used for CSRF attacks, it can also be used for user tracking.

For example, Facebook inserts an invisible picture on a third-party website.

When the browser loads the above code, it sends a request with Cookie to Facebook, so Facebook will know who you are and what website you visited.

II. SameSite attribute

The SameSite property of Cookie is used to limit third-party Cookie, thereby reducing security risks.

It can set three values.

Strict

Lax

None

2.1 Strict

Strict is the most stringent, completely prohibiting third-party Cookie, and Cookie will not be sent under any circumstances when cross-site. In other words, Cookie will be brought only if the URL of the current web page is consistent with the request target.

Set-Cookie: CookieName=CookieValue; SameSite=Strict

This rule is too strict and can lead to a very bad user experience. For example, the current page has a GitHub link, users click to jump will not have GitHub Cookie, jump to the past is always unlogged in status.

2.2 Lax

The Lax rules are slightly relaxed, and in most cases third-party Cookie is not sent, with the exception of Get requests that navigate to the target URL.

Set-Cookie: CookieName=CookieValue; SameSite=Lax

GET requests that navigate to the target URL include only three cases: links, preloaded requests, and GET forms. See the table below for details.

After setting up Strict or Lax, the CSRF attack is basically eliminated. Of course, the premise is that the user's browser supports the SameSite attribute.

2.3 None

Chrome plans to make Lax the default setting. At this point, the site can choose to explicitly turn off the SameSite property and set it to None. However, the premise is that the Secure property must be set at the same time (Cookie can only be sent through the HTTPS protocol), otherwise it is invalid.

The following settings are not valid.

Set-Cookie: widget_session=abc123; SameSite=None

The following settings are valid.

Set-Cookie: widget_session=abc123; SameSite=None; Secure

This is the end of this article on "how to use the SameSite attribute of Cookie". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.