This vulnerability occurs when a sensitive cookie (like a session cookie) is set without a SameSite attribute, or with SameSite=None without the Secure attribute. The SameSite attribute is a security measure that tells the browser whether to send a cookie with cross-site requests. Without it, or with a weak setting, the browser will send the session cookie with requests from other domains, making the application vulnerable to Cross-Site Request Forgery (CSRF).
A missing or weak SameSite attribute is a direct enabler for CSRF attacks. This can allow an attacker to perform unauthorized actions on behalf of a logged-in user, such as changing their password, making purchases, or deleting their account.
Reference Details
CWE ID:CWE-1275OWASP Top 10 (2021): A01:2021 - Broken Access Control
Severity: Medium
This is almost always a configuration-level vulnerability. All modern frameworks default to a secure setting (like Lax or Strict). The vulnerability is introduced if a developer (or an old framework version) explicitly sets this to None or disables it. The fix is to configure all sensitive cookies, especially session cookies, with SameSite=Strict.
Vulnerable Scenario 1: SameSite=None without Secure
A developer sets SameSite to None (e.g., for cross-domain API use) but forgets to also set SESSION_COOKIE_SECURE.
# settings.py# DANGEROUS: 'None' allows the cookie to be sent cross-site.# Modern browsers will block this if `SECURE` is not also True.SESSION_COOKIE_SAMESITE = 'None'SESSION_COOKIE_SECURE = False
# settings.py (Secure)# SECURE: This is the most secure setting.SESSION_COOKIE_SAMESITE = 'Strict'# Ensure this is True in productionSESSION_COOKIE_SECURE = TrueCSRF_COOKIE_SECURE = True
This is best tested with a browser’s developer tools. Log in to the application, go to the “Application” (Chrome) or “Storage” (Firefox) tab, and inspect the session cookie (sessionid). Verify that its SameSite attribute is set to Strict or Lax.
Vulnerable Scenario 1: Setting to None without Secure
A developer sets SameSite to None for a cross-site iFrame, but forgets to enable secure.
# application.properties# DANGEROUS: 'None' is set, but 'secure=true' is missing.# Browsers will reject this, or it will be insecure.server.servlet.session.cookie.same-site=Noneserver.servlet.session.cookie.secure=false
A developer explicitly sets the attribute to null to support old browsers.
# application.properties# DANGEROUS: This might disable the attribute, reverting# to insecure default browser behavior.server.servlet.session.cookie.same-site=
# application.properties (Secure)# SECURE: Explicitly set to 'Strict'server.servlet.session.cookie.same-site=Strict# Also ensure cookies are secure in productionserver.servlet.session.cookie.secure=true
A developer configures the cookie policy to be None without Secure.
// Startup.cspublic void ConfigureServices(IServiceCollection services){ services.Configure<CookiePolicyOptions>(options => { // DANGEROUS: Setting to 'None' without also // forcing cookies to be secure. options.MinimumSameSitePolicy = SameSiteMode.None; options.Secure = CookieSecurePolicy.None; });}
A developer sets a custom “remember me” cookie and forgets to set the SameSite property.
// Controllers/AccountController.cspublic void SetRememberMeCookie(string token){ Response.Cookies.Append("remember_me", token, new CookieOptions { HttpOnly = true, // DANGEROUS: 'SameSite' is not specified. // Default may be 'None' in some configurations. });}
Set the MinimumSameSitePolicy to SameSiteMode.Strict. This enforces the most secure setting for all cookies. Always set SameSite and Secure properties on custom cookies.
This is set in the options for express-session or when manually setting a cookie with res.cookie(). The default for express-sessionsameSite was not lax in older versions.
