SameSite Cookies Deep Dive / CSRF is dead (or is it?)

“CSRF is Dead (or is it?)” presented at Laracon EU 2020.

Although they’ve been around for years, SameSite cookies hadn’t gained much attention until September 2019. The Chrome team announced their plans to set ‘SameSite=Lax’ on all cookies without the SameSite attribute in Chrome 80, scheduled to release in February 2020. The rollout was delayed due to COVID-19 until July 2020, and was finally completed in August 2020. With many developers still unaware of this setting and how it works, it is still likely to catch a lot of us unawares with broken sites and weird behaviours.

In this session we will learn about the SameSite cookie attribute and why it is so important to securing your site. We’ll see why ‘Lax’ is the best default to use, and when you’d want to use ‘Strict’ and ‘None’ instead. Additionally, we will cover the edge cases and weird behaviours that can easily cause confusion and seemingly weird bugs. By the end of the session, you’ll know how to properly configure SameSite on your cookies, to ensure your site takes advantage of the security benefits without breaking expected functionality.

Presented At

Browser Tests

The browser tests discussed in the talk can be found at https://samesitetest.com/.

Manual SameSite Cookie Test
Manually test the behaviour of SameSite cookies in your browser across the different cross-site request types: GETPOST, and embedded content.

Automatic SameSite Browser Test
Automated test suite that audits the behaviour of your browser with the different SameSite options, across https and http, same-site and cross-site requests. Note, it will take a while as there is a delay of 2 minutes to properly account for SameSite=Lax+POST in Chrome.

The source code for the browser tests is on GitHub at valorin/samesite. If you have any ideas or suggestions, please feel free to submit an issue or PR.

About Cross Site Request Forgery (CSRF)

About SameSite Cookies

Timeline of Important Events

Leave a Reply

Your email address will not be published. Required fields are marked *