Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preventing CSRF with the same-site cookie attribute

I was surfing the web and found article Preventing CSRF with the same-site cookie attribute.

As on link maintain We need to add Set-Cookie header.

Set-Cookie: key=value; HttpOnly; SameSite=strict

Now My Question is, I want to set this in my ASP.NET site in all Cookies and Authentication Cookie. I tried to set this using header from IIS but someone says this is wrong way implementation.

I have also tried below.

HttpCookie newAuthenticationCookie = new HttpCookie(FormsAuthentication.FormsCookieName                     , FormsAuthentication.Encrypt(newAuthenticationTicket))                 {                     HttpOnly = true                 }; newAuthenticationCookie.Values.Add("SameSite", "strict"); 

But it seems like not helping me.

Please suggest me a better way to do this.

Thanks.

like image 621
imlim Avatar asked Aug 15 '16 12:08

imlim


People also ask

Why the same site cookie can help prevent CSRF attacks?

Explain why the same-site cookie can help prevent CSRF attacks. The same-site cookie has a special attribute, SameSite, that is set by the servers. If this attribute is present, and it's value is Strict, the browser will not be sent along with cross-site requests.

How do I make SameSite cookies secure?

SameSite=None requires Secure The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.

What prevents SameSite?

Overview. SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks.

What is same site attribute in cookies?

What is the SameSite attribute? The SameSite attribute tells browsers when and how to fire cookies in first- or third-party situations. SameSite is used by a variety of browsers to identify whether or not to allow a cookie to be accessed.


2 Answers

After Deep review on HttpCookie Source it's confirm that we cannot do this with the code, as there is no way to add extra attribute on Cookie and class is marked as sealed.

But still anyhow I manage solution by modifying web.config as below.

<rewrite>   <outboundRules>     <rule name="Add SameSite" preCondition="No SameSite">       <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />       <action type="Rewrite" value="{R:0}; SameSite=strict" />       <conditions>       </conditions>     </rule>     <preConditions>       <preCondition name="No SameSite">         <add input="{RESPONSE_Set_Cookie}" pattern="." />         <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=strict" negate="true" />       </preCondition>     </preConditions>   </outboundRules> </rewrite> 

This add SameSite=strict on each Set-Cookie.

like image 136
imlim Avatar answered Sep 23 '22 01:09

imlim


You can also set this in code when creating a cookie:

var httpCookie = new HttpCookie("mycookie", "myvalue"); httpCookie.Path += ";SameSite=Strict";  Response.SetCookie(httpCookie); 

This will give you the following header:

Set-Cookie:mycookie=myvalue; path=/;SameSite=Strict 

bit of a hack until it's pushed in to the framework.

like image 33
Kevin Smith Avatar answered Sep 24 '22 01:09

Kevin Smith