Why you need to care about Google’s change to the SameSite cookie attribute
By Michael Furman, Tufin Security Architect.
So what are these changes?
- The SameSite Cookie attribute had two settings: Strict and Lax.
- There was no default setting.
After the policy change:
- The SameSite Cookie attribute has a third setting: None.
- The SameSite cookie attribute is now Lax by default — even if nothing is defined in the cookie.
These related cases include, for example, initial requests sent to external applications, such as:
- HTML frames that are opened via a link to another applications.
- Applications that are accessed via an AJAX request
After the change, the requests may not be authenticated because the cookies are no longer being sent, and the request will fail.
If you discover that any of your application functionalities have stopped working, the simplest solution is to change the SameSite attribute setting of an appropriate cookie to None. However, from a security perspective, I recommend converting your application to use Lax. The move might require some additional effort on your part, but the investment will more than pay off because it makes your application safe against CSRF attacks.
You can find more technical information on the SameSite Cookie attribute and Google’s recent policy change at my personal blog: https://ultimatesecurity.pro/post/same-site-cookie/