Cookie created without samesite property set

[steve-forth]

A recent pen test of an application using this code highlighted that the CV cookie is set without specifying the SameSite property. I understand this cookie is used to connect callbacks after redirection to the authentication provider such as Okta.

SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are none, lax, or strict.

The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing contexts, even when following a regular link.

The lax value provides a reasonable balance between security and usability for websites that want to maintain user’s logged-in session after the user arrives from an external link.

The none value won’t give any kind of protection. The browser attaches the cookies in all cross-site browsing contexts.

Proposed remediation
Enable the SameSite attribute in strict mode for the CV cookie to mitigate the risk against cross-site request forgery attacks

[SiCoe]

Changes for this issue have been merged into master and released as v4.0.0