Sensitive Cookie with Improper SameSite Attribute
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1275: Sensitive Cookie with Improper SameSite Attribute |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The Pyramid authentication ticket cookie is missing the recommended ‘samesite=“Lax”’ setting, which means browsers may send this cookie with cross-site requests. Without this protection, your authentication cookies are more vulnerable to being sent to untrusted sites.
Impact#
If exploited, an attacker could potentially trick a user’s browser into sending authentication cookies to a malicious site, enabling session hijacking or cross-site request forgery (CSRF) attacks. This can lead to unauthorized access to user accounts and sensitive data within your application.