AnsweredAssumed Answered

SameSite Cookie Info

Question asked by Donal Scollan on Jan 15, 2020
Latest reply on Jan 20, 2020 by Sheela Sarva

We were looking to see if Qualys WAS could be used to detect what the SameSite cookie attritube is set to for a given web application. There are some checks in place today around whether cookies contain the secure attribute but I don’t see anything for SameSite


We have engaged Qualys who have opened a Feature Request on this and it would be added in as an Information Gathered check in WAS 


Has anyone else had a look at this from a WAS perspective?


If there was more interest and push from the feature request perspective we may be able to get this prioritized to be added 


Cookies default to SameSite=Lax - Chrome Platform Status 

Chromium Blog: Developers: Get Ready for New SameSite=None; Secure Cookie Settings  




A New Model for Cookie Security and Transparency

Today, if a cookie is only intended to be accessed in a first party context, the developer has the option to apply one of two settings (
SameSite=Lax or SameSite=Strict) to prevent external access. However, very few developers follow this recommended practice, leaving a large number of same-site cookies needlessly exposed to threats such as Cross-Site Request Forgery attacks.

To safeguard more websites and their users, the new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, 
SameSite=None, to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections. This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.

Beyond the immediate security benefits, the explicit declaration of cross-site cookies enables greater transparency and user choice. For example, browsers could offer users fine-grained controls to manage cookies that are only accessed by a single site separately from cookies accessed across multiple sites.

Chrome Enforcement Starting in February 2020

With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as 
SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections. The Chrome Platform Status trackers for SameSite=None and Secure will continue to be updated with the latest launch information.

Mozilla has affirmed their support of the new cookie classification model with their 
intent to implement the SameSite=None; Secure requirements for cross-site cookies in Firefox. Microsoft recently announced plans to begin implementing the model starting as an experiment in Microsoft Edge 80.”