Cookie without SameSite Attribute

A cookie has been set without a proper SameSite attribute, which controls whether the browser includes the cookie in cross-site requests. The SameSite attribute is an effective counter-measure to cross-site request forgery (CSRF), cross-site script inclusion (XSSI), and timing attacks. When the attribute is missing or misconfigured, the browser may attach the cookie to requests initiated by third-party sites, undermining same-origin protections.

This detector identifies three sub-variant scenarios. A cookie set with no SameSite attribute at all relies on the browser’s default behavior, which varies across implementations and may permit cross-site transmission. A cookie set with SameSite=None explicitly disables same-site restrictions and allows the cookie to be sent in every cross-site request, which is equivalent to having no protection. A cookie set with an invalid or unrecognized SameSite value is ignored by the browser and treated as if the attribute were absent, again allowing cross-site transmission.

An attacker can exploit the lack of a proper SameSite attribute by hosting a malicious page that issues cross-site requests to the target application. Because the browser attaches the cookie to these requests, the attacker can perform actions on behalf of the authenticated user without their knowledge, such as changing account settings, initiating transactions, or exfiltrating data through timing side-channels. The risk increases when the exposed cookie is a session identifier, as it enables full session hijacking and unauthorized access to protected resources.

Set the SameSite attribute to Strict or Lax on every cookie that does not need to be sent in cross-site requests. The Strict value prevents the cookie from being included in any cross-origin request, providing the strongest protection. The Lax value allows the cookie only on top-level GET navigations, which preserves usability for common linking scenarios while still blocking cross-site POST requests.

If a cookie must use SameSite=None for legitimate cross-site functionality, always pair it with the Secure flag so that the cookie is transmitted only over HTTPS. Browsers will reject a SameSite=None cookie that is not marked as Secure.

Treat the SameSite attribute as a defense-in-depth measure rather than the sole CSRF protection. Combine it with anti-CSRF tokens, Origin/Referer header validation, and the HttpOnly and Secure flags to provide layered session cookie protection.