search

alibaba / tengine

A distribution of Nginx with some advanced features
https://tengine.taobao.org
BSD 2-Clause "Simplified" License
12.83k stars 2.52k forks source link

session_sticky cookie should include "SameSite=None; Secure" when running on HTTPS #1811

Open ottenhoff opened 1 year ago

ottenhoff commented 1 year ago

Why you need it?

"Cookies that do not specify a SameSite attribute will be treated as if they specified SameSite=Lax, i.e. they will be restricted to first-party or same-site contexts by default." For many sticky session use cases, it is important that the routing cookie is sent to the load-balancer in all cases including when arriving from a third-party site.

How it could be?

The SameSite=None attribute can only be added if we also add the Secure attribute. We can probably add both attributes regardless if we are running on HTTP or HTTPS (the browser will ignore it on HTTPS).

Other related information

Someone could argue that we should make this configurable so someone could set SameSite=Strict if they wanted to. My opinion is that a load-balancer sticky cookie should always be SameSite=None as the goal is to always direct the user to the same upstream node no matter how they arrive at the requested URI.

chobits commented 1 year ago

HINT: By setting the SameSite attribute to None, you are essentially telling the browser that the cookie can be sent with any request, regardless of the origin. This means that the cookie could be sent to a malicious website, which could then use it to perform a CSRF attack.

However, it is important to note that the security implications of setting the SameSite attribute to None are not as severe as they may seem. In order to successfully perform a CSRF attack, the attacker would also need to know the user's session ID. This is not always easy to obtain, and there are a number of things that you can do to protect your users from CSRF attacks, even if you set the SameSite attribute to None. Ultimately, the decision of whether or not to set the SameSite attribute to None is a trade-off between security and functionality. You need to weigh the risks and benefits of each option and decide what is best for your specific application.

ottenhoff commented 1 year ago

HINT: By setting the SameSite attribute to None, you are essentially telling the browser that the cookie can be sent with any request, regardless of the origin. This means that the cookie could be sent to a malicious website, which could then use it to perform a CSRF attack.

Not exactly. The cookie is only sent to the proper domain regardless of SameSite setting. The malicious website never has a chance to steal a cookie from another domain. The malicious website only has the ability to trick you into launching a request against the other domain. Using SameSite=Lax or SameSite=Strict will mean that your browser will not send the cookie with the cross-site request.

Ultimately, the decision of whether or not to set the SameSite attribute to None is a trade-off between security and functionality. You need to weigh the risks and benefits of each option and decide what is best for your specific application.

There is no possible CSRF attack via the sticky-affinity cookie thus SameSite=None is the correct setting.