Insecurely generated cookies - SameSite
Need
Secure generation of cookies with proper SameSite attribute
Context
• Usage of Python 3.x for building applications and scripts
• Usage of Django for building web applications in Python
Description
1. Non compliant code
from django.http import HttpResponse
def set_cookie(request):
    response = HttpResponse("Setting your cookie")
    response.set_cookie('cookie_name', 'cookie_value')
    return responseIn the above code, we are setting a cookie named 'cookie_name' with the value 'cookie_value'. This is done in the Django backend through the `set_cookie` method of the `HttpResponse` object. However, the problem with this code is that it does not set the `SameSite` attribute for the cookie. The `SameSite` attribute is a security measure that browsers use to restrict how cookies are sent with cross-site requests. Without the `SameSite` attribute, the cookie can be sent along with any request, even those originating from different sites. This can potentially lead to Cross-Site Request Forgery (CSRF) attacks, where an attacker tricks a victim into performing actions on a web application in which they're authenticated. So, this code is vulnerable because it does not properly set the `SameSite` attribute for the cookie, thereby making the application susceptible to CSRF attacks.
2. Steps
• Identify all places in your code where cookies are being set.
• For each place where a cookie is set, add the 'samesite' attribute to the set_cookie function.
• Set the 'samesite' attribute to 'Strict' or 'Lax' depending on your application's needs. 'Strict' will only send cookies if the request is being made from the same site. This is a good setting for cookies that hold sensitive information. 'Lax' is a little less strict and allows cookies to be sent when the user navigates to the URL from somewhere else.
• Test your application to ensure that it still works as expected with the new 'samesite' attribute settings.
3. Secure code example
from django.http import HttpResponse
def set_cookie(request):
    response = HttpResponse("Setting your cookie")
    response.set_cookie('cookie_name', 'cookie_value', samesite='Strict')
    return responseThe above code fixes the vulnerability by adding the `samesite` attribute to the `set_cookie` function. The `samesite` attribute is set to 'Strict'. This means that the cookie will only be sent in a request if the request is being made from the same site. This is a good setting for cookies that hold sensitive information. The `set_cookie` function now has three parameters: the name of the cookie, the value of the cookie, and the `samesite` attribute. The `samesite` attribute can be set to either 'Strict' or 'Lax'. 'Strict' will only send the cookie if the request is being made from the same site. 'Lax' is a little less strict and allows the cookie to be sent when the user navigates to the URL from somewhere else. After making these changes, it's important to test your application to ensure that it still works as expected with the new 'samesite' attribute settings.
References
• 129. Insecurely generated cookies - SameSite