- Mais recentes
- Mais votos
- Mais comentários
Hi Yoni , If the SameSite attribute is set to Lax, then the browser will include the cookie in requests that originate from another site but only if two conditions are met:
The request uses the GET method. Requests with other methods, such as POST, will not include the cookie. The request resulted from a top-level navigation by the user, such as clicking a link. Other requests, such as those initiated by scripts, will not include the cookie.
Most CSRF attacks tend to happen on POST requests. So the LAX mode is only a partial defense. You should use it in conjunction with CSRF tokens. You can use Spring Security (if you are using Java and Spring) or you can use the CSRFGuard from OWASP. Please see the link below for the CSRF Guard
https://owasp.org/www-project-csrfguard/
The OpenID connect protocol does not have any specifications for CSRF .Here are a few resources that might help you (see below) but the general pattern is to use the state parameter. Some reputed OpenId providers do provide protection but the smaller ones do not.
https://developer.amazon.com/docs/login-with-amazon/cross-site-request-forgery.html
https://technospace.medium.com/csrf-in-idp-initiated-openid-connect-7a2873420e86
https://developers.google.com/identity/openid-connect/openid-connect
Yoni, you can utilize duration based stickiness and give it a shot. This way your cookie (JSESSIONID) will maintain the lax value. Please , see the following resource
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html
Give it a shot.
Conteúdo relevante
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 meses
Thank you for this finely crafted answer, but it actually adds nothing to my question in way of a solution. I care about POST requests, not GET, and I know what OIDC is. The question is about the ALB cookies, that effectively allow a request from answer site to pass-through