Talk Proposal: SameSite Cookies (CSRF is dead?)

[valorin]

(Branched off from https://github.com/Brisbane-Laravel-Meetup/meetups/issues/1)

Although they’ve been around for years, SameSite cookies hadn’t gained much attention until September 2019. The Chrome team announced their plans to set ‘SameSite=Lax’ on all cookies without the SameSite attribute in Chrome 80, scheduled to release in February 2020. This rollout has since been delayed due to COVID-19, ~however the change is still coming, and soon.~ Chrome has enabled SameSite=Lax by default and the would hasn't imploded... yet. But that doesn't mean things haven't broken!

With many developers still unaware of this setting and how it works, it’s likely to catch a lot of us unawares with broken sites and weird behaviours. In this session we will learn about the SameSite cookie attribute and why it is so important to securing your site. We’ll see why ‘Lax’ is the best default to use, and when you’d want to use ‘Strict’ and ‘None’ instead. Additionally, we will cover the edge cases and weird behaviours that can easily cause confusion and seemingly weird bugs. By the end of the session, you’ll know how to properly configure SameSite on your cookies, to ensure your site takes advantage of the security benefits without breaking expected functionality.

I presented a similar talk at Laracon EU, focusing on why SameSite cookies may (or may not) kill CSRF attacks. Notes and video are online at: https://stephenreescarter.net/talks/csrf-is-dead/

[jryd]

After a long hiatus, we're restarting the Brisbane Laravel Meetup.

If you're still interested in presenting this talk at our next meetup then please let us know!

In the meantime, we'll close this proposal so that we can start from a clean slate.