Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "how to understand the SameSite attributes of Cookie". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

What is a CSRF attack?

Cookie is often used to store users' identity information, and malicious websites can try to forge HTTP requests with correct Cookie, which is called CSRF attacks.

For example, a user logs in to the bank's website your-bank.com and a Cookie is sent from the bank server.

Set-Cookie:id=a3fWa

The user later visited the malicious website malicious.com with a form on it.

...

Once the user is tricked into sending this form, the bank website will receive a request with the correct Cookie. To prevent this attack, forms typically come with a random token that tells the server that this is a real request.

...

The Cookie that this kind of third-party website guides sends out, is called third-party Cookie. In addition to being used for CSRF attacks, it can also be used for user tracking.

For example, Facebook inserts an invisible picture on a third-party website.

When the browser loads the above code, it sends a request with Cookie to Facebook, so Facebook will know who you are and what website you visited.

II. SameSite attribute

The SameSite property of Cookie is used to limit third-party Cookie, thereby reducing security risks.

It can set three values.

Strict

Lax

None

2.1 Strict

Strict is the most stringent, completely prohibiting third-party Cookie, and Cookie will not be sent under any circumstances when cross-site. In other words, Cookie will be brought only if the URL of the current web page is consistent with the request target.

Set-Cookie: CookieName=CookieValue; SameSite=Strict

This rule is too strict and can lead to a very bad user experience. For example, the current page has a GitHub link, users click to jump will not have GitHub Cookie, jump to the past is always unlogged in status.

2.2 Lax

The Lax rules are slightly relaxed, and in most cases third-party Cookie is not sent, with the exception of Get requests that navigate to the target URL.

Set-Cookie: CookieName=CookieValue; SameSite=Lax

GET requests that navigate to the target URL include only three cases: links, preloaded requests, and GET forms. See the table below for details.

Example request type normally Lax link sends Cookie sends Cookie preloads sends Cookie sends CookieGET forms sends Cookie sends CookiePOST forms sends Cookie does not send iframe sends Cookie does not send AJAX$.get ("...") Send Cookie, not send Image

Send Cookie do not send

After setting up Strict or Lax, the CSRF attack is basically eliminated. Of course, the premise is that the user's browser supports the SameSite attribute.

2.3 None

Chrome plans to make Lax the default setting. At this point, the site can choose to explicitly turn off the SameSite property and set it to None. However, the premise is that the Secure property must be set at the same time (Cookie can only be sent through the HTTPS protocol), otherwise it is invalid.

The following settings are not valid.

Set-Cookie: widget_session=abc123; SameSite=None

The following settings are valid.

Set-Cookie: widget_session=abc123; SameSite=None; Secure

This is the end of "how to understand the SameSite properties of Cookie". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.