Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Samesite=Strict cookies are not included in 302 redirects when user clicks link from a different domain

Tags:

cookies

http-status-code-302

samesite

  1. A customer will link to one of our webpages on their site: customer.site/links.html
  2. A person clicks that link and gets sent to our.site/webapp/handlerequest.aspx?someparam=somevalue
  3. The value of someparam is set in a cookie with SameSite=Strict and then uses a 302 redirect to another page on the same domain:
Request URL: https://our.site/webapp/handlerequest.aspx?someparam=somevalue
Request Method: GET
Status Code: 302 
Remote Address: ...
Referrer Policy: strict-origin-when-cross-origin

cache-control: private
content-length: ...
content-type: text/html; charset=utf-8
date: ...
location: /webapp/someotheraction
server: Microsoft-IIS/10.0
set-cookie: someparam=somevalue; expires=Thu, 17-Mar-2022 14:41:13 GMT; path=/; secure; HttpOnly; SameSite=Strict
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN

The browser does NOT include this cookie on the 302 redirect to /webapp/someotheraction.

This only starting happening when we specifically change our code to set this cookie to SameSite=Strict.

This occurs in Chrome, Firefox, Edge, and IE (old IE)

Is this on purpose? Why? Since we are going from one request on the domain to another request in the same domain, shouldn't the SameSite=Strict cookies be included? Does this have anything to do with the referer policy defaulting to strict-origin-when-cross-origin? https://www.w3.org/TR/referrer-policy/ doesn't say anything about cookies

like image 529
scott.korin Avatar asked Sep 19 '25 04:09

scott.korin

1 Answers

This is a cross-site request because the initial navigation was cross-site (from customer.site to our.site). Strict cookies are never sent on cross-site requests. It doesn't matter that the request gets redirected (in this case, to another URL on our.site), just the fact that the user clicked on a cross-site link means the request is cross-site.

As for why this is the case, it's because the origin responsible for initiating the navigation is important in preventing cross-site request forgery (CSRF). Imagine if https://evil.site had a link to https://bank.site/transfer-funds which redirects to https://bank.site/transact. We wouldn't want Strict cookies to be send to the /transact endpoint after the redirect, even if it was redirected to by the same site, because the initiating origin is cross-site.

like image 163
chlily Avatar answered Sep 23 '25 07:09

chlily
Sign in to Comment

Related questions

How to disable same site policy in Chrome?
Secure cookies not being set
How do you stop Jetty altering the HTTP Expires header when using response.addCookie?
Selenium NodeJS print cookies to console
Localhost development with cookies
Passing session identifier as a query string parameter

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!