Skip to main content

Overview

This vulnerability occurs when a sensitive cookie (like a session cookie) is set without a SameSite attribute, or with SameSite=None without the Secure attribute. The SameSite attribute is a security measure that tells the browser whether to send a cookie with cross-site requests. Without it, or with a weak setting, the browser will send the session cookie with requests from other domains, making the application vulnerable to Cross-Site Request Forgery (CSRF).

Business Impact

A missing or weak SameSite attribute is a direct enabler for CSRF attacks. This can allow an attacker to perform unauthorized actions on behalf of a logged-in user, such as changing their password, making purchases, or deleting their account.

Reference Details

CWE ID: CWE-1275 OWASP Top 10 (2021): A01:2021 - Broken Access Control Severity: Medium

Framework-Specific Analysis and Remediation

This is almost always a configuration-level vulnerability. All modern frameworks default to a secure setting (like Lax or Strict). The vulnerability is introduced if a developer (or an old framework version) explicitly sets this to None or disables it. The fix is to configure all sensitive cookies, especially session cookies, with SameSite=Strict.
  • Python
  • Java
  • .NET(C#)
  • PHP
  • Node.js
  • Ruby

Framework Context

This is controlled by the SESSION_COOKIE_SAMESITE setting in settings.py. Django’s default is 'Lax', which is good.

Vulnerable Scenario 1: SameSite=None without Secure

A developer sets SameSite to None (e.g., for cross-domain API use) but forgets to also set SESSION_COOKIE_SECURE.
# settings.py
# DANGEROUS: 'None' allows the cookie to be sent cross-site.
# Modern browsers will block this if `SECURE` is not also True.
SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SECURE = False

Vulnerable Scenario 2: Disabling SameSite

A developer sets the value to None (the Python object, not the string) to disable the attribute, reverting to old browser behavior.
# settings.py
# DANGEROUS: This removes the SameSite attribute entirely,
# leaving the cookie open to CSRF.
SESSION_COOKIE_SAMESITE = None

Mitigation and Best Practices

For most applications, Strict is the best setting. This prevents the cookie from being sent on any cross-site request, even top-level navigation.
  • Strict: Best security.
  • Lax: Good security (default). Allows cookie on top-level GET navigation.
  • None: Requires SESSION_COOKIE_SECURE = True. Only use if you need cross-domain authenticated requests.

Secure Code Example

# settings.py (Secure)

# SECURE: This is the most secure setting.
SESSION_COOKIE_SAMESITE = 'Strict'

# Ensure this is True in production
SESSION_COOKIE_SECURE = True 
CSRF_COOKIE_SECURE = True

Testing Strategy

This is best tested with a browser’s developer tools. Log in to the application, go to the “Application” (Chrome) or “Storage” (Firefox) tab, and inspect the session cookie (sessionid). Verify that its SameSite attribute is set to Strict or Lax.