Session Cookie without SameSite Flag

Impact: Medium

Description

The SameSite cookie flag with the right value prevents the browser from sending the cookie in cross-origin requests. It provides some protection against cross-site request forgery attacks (CSRF).

Recommendation

Set SameSite flag for the cookie.

References

OWASP: SameSite
OWASP: Session Management Cheat Sheet
CWE-1275
OWASP 2017-A5
OWASP 2021-A1

👉 You might also like:

Cookie without SameSite Flag - Vulnerability

Session Cookie without HttpOnly Flag - Vulnerability

Session Cookie without Secure Flag - Vulnerability

Cookie without HttpOnly Flag - Vulnerability

Last updated on February 15, 2021

Session Cookie without SameSite Flag

Description

Recommendation

References

Use SmartScanner Free version to test for this issue