samesite= none with secure flag

[Vikrant Shikhare]

Hello All,

I wanted to know Is samesite= none with the secure flag in web.config  (<httpCookies requireSSL="true"/>)  will prevent csrf attacks ?.

In the project we are using Iframe control of asp .net for cross side 

<iframe name="Iframe1" id="Iframe1" width="600" height="600" runat="server" ></iframe>

So it opens payment gateawy page and while user putting credentails and submit , its response not getting for us in our side. Due to its shown in  chrome like Samesite=Lax.

To resolve this I used the below setting 

In our project I have to add the below line in web.config

 

<httpCookies requireSSL="true"/>

<sessionState mode="InProc" cookieSameSite="None"/>

 

 So it working fine and getting response but wanted to know Is above changes open csrf attacks? Or prevent csrf attacks?

 

Let me know your thought for above.

If anyone knows other ways to handle it, please suggest.

[Mike Taylor]

Hi Vikrant,

On 7/21/21 9:40 AM, Vikrant Shikhare wrote:

In our project I have to add the below line in web.config

 

<httpCookies requireSSL="true"/>

<sessionState mode="InProc" cookieSameSite="None"/>

 

 So it working fine and getting response but wanted to know Is above changes open csrf attacks? Or prevent csrf attacks?

 

Let me know your thought for above.

If anyone knows other ways to handle it, please suggest.

I would recommend you open a new issue for support or guidance at https://github.com/GoogleChromeLabs/privacy-sandbox-dev-support.

thanks,
Mike

[Eric Lawrence]

The short answer is "No"-- when you override the default of "Lax" and set SameSite=none, you've disabled the SameSite behavior of the cookie. That means you've disabled SameSite as a CSRF defense, and you'll need to implement a different defense.