banner

KuchBhiLearning - A free website to learn and code

This is a good learning site. This contains details of cloud computing, AWS, AWS-CDK, AWS-SDK codes and examples including S3, Redis, lambda, api-gateway, cloudfront, cloudformation.

 Cookies same site and lax behavior

Cookies are widely used when it comes to authentication, identification or kind of gate keeper in some sense.

 For example, we create authentication cookies and then in our other functional api calls we look for these cookies to verify if this is a valid request and sometimes we also keep user information in these cookies.

While creating the cookie we usually set the following properties.

  1. CookieName

  2. Path

  3. Secure

  4. SameSite

  5. Expires

  6. Domain

Now the question is when we navigate from some other domain, we find that our domain cookies are not in the request. This can break our application, because we are expecting cookies but it is not in the request even though we have created it.

Cookies are not forwarded to the request from some other domain, this can be fixed with setting the SameSite as Lax.

Lax allows the cookie to be sent on some cross-site requests, whereas Strict never allows the cookie to be sent on a cross-site request.

The situations in which Lax cookies can be sent cross-site must satisfy both of the following:

The request must be a top-level navigation. You can think of this as equivalent to when the URL shown in the URL bar changes, e.g. a user clicking on a link to go to another site.

The request method must be safe (e.g. GET or HEAD, but not POST).

For example:

Let's say a user is on site-a.com and clicks on a link to go to site-b.com. This is a cross-site request. This is a top-level navigation and is a GET request, so Lax cookies are sent to site-b.com. However, Strict cookies are not sent because it is, after all, a cross-site request.

The user is on site-a.com and there is an iframe in which site-b.com is loaded. This is a cross-site request, but it's not a top-level navigation (the user is still on site-a.com, i.e. the URL bar doesn't change when the iframe is loaded). Therefore neither Lax nor Strict cookies are sent to site-b.com.

The user is on site-a.com which POSTs a form to site-b.com. This is a cross-site request, but the method (POST) is unsafe. It doesn't meet the criteria for Lax cookies going cross-site, so neither Lax nor Strict cookies are sent to site-b.com

Lax

Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).
Tags: , , ,

No comments:

Post a Comment

If you have any doubts, Please let me know

Subscribe to: Post Comments (Atom)
Copyright 2022, KuchBhiLearning - A free website to learn and code. All rights Reserved.
| Designed by Yaseen Shariff