OWASP Annotated Application Security Verification Standard
latest

Browse by chapter:

  • 1 Architecture, Design and Threat Modeling
  • 2 Authentication
  • 3 Session Management
    • 3.1 Fundamental Session Management Requirements
    • 3.2 Session Binding Requirements
    • 3.3 Session Logout and Timeout Requirements
    • 3.4 Cookie-based Session Management
      • 3.4.1 Cookie-based session tokens have the ‘Secure’ attribute set
      • 3.4.2 Cookie-based session tokens have the ‘HttpOnly’ attribute set
      • 3.4.3 Cookie-based session tokens utilize the ‘SameSite’ attribute
        • PHP
        • Symfony
        • Laravel
      • 3.4.4 Cookie-based session tokens provide session cookie confidentiality
      • 3.4.5 The application is published under a domain name with other applications that set or use session cookies that might override or disclose the session cookie
    • 3.5 Token-based Session Management
    • 3.6 Re-authentication from a Federation or Assertion
    • 3.7 Defenses Against Session Management Exploits
  • 4 Access Control
  • 5 Validation, Sanitization and Encoding
  • 6 Stored Cryptography
  • 7 Error Handling and Logging
  • 8 Data Protection
  • 9 Communications
  • 10 Malicious Code
  • 11 Business Logic
  • 12 Files and Resources
  • 13 API and Web Service
  • 14 Configuration
OWASP Annotated Application Security Verification Standard
  • Docs »
  • 3 Session Management »
  • 3.4 Cookie-based Session Management »
  • 3.4.3 Cookie-based session tokens utilize the ‘SameSite’ attribute

3.4.3 Cookie-based session tokens utilize the ‘SameSite’ attribute¶

Verify that cookie-based session tokens utilize the ‘SameSite’ attribute to limit exposure to cross-site request forgery attacks. (C6)

Level 1 X
Level 2 X
Level 3 X
CWE NIST
16 7.1.1

PHP¶

Since PHP 7.3 you can set the cookie_samesite_ option in the INI configuration. Set it to lax or strict

Symfony¶

The cookie_samesite configuration option should be set to either lax or strict.

Laravel¶

In config/session.php you can set the option same_site to either lax or strict

Next Previous

© Copyright 2019 Wessel van der Linden Revision 63d1bede.

Built with Sphinx using a theme provided by Read the Docs.