Hi I do not see how SameSite attribute would help in this case. Or how do you mean that it would protect against this?
// Ola On Thu, 12 Mar 2020 at 22:02, Brian May <b...@debian.org> wrote: > Ola Lundqvist <o...@inguza.com> writes: > > > I have ideas on how we can reduce the attack possibilities but I cannot > > find any perfect solution to this. > > What about setting samesite=Lax in the session Cookie? This should solve > all problems for POST requests. Are there any vulnerable GET requests? > Additionally this is already the default for Chrome (I don't think > Firefox has done this yet though). > > https://web.dev/samesite-cookies-explained/ > > I posted this suggestion upstream also, but got no response - yet. > https://github.com/phppgadmin/phppgadmin/issues/94#issuecomment-597464834 > > Only problem is older browsers won't be protected, I am not sure this is > a big issue however. > > I imagine setting the samesite value will be a lot less invasive then > some of the other solutions being discussed here. > > The other problem might be implementing this. I see PHP has a > session.cookie_samesite option but this was only implemented in PHP >= > 7.3 > > https://www.php.net/manual/en/session.configuration.php > -- > Brian May <b...@debian.org> > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
