Sensitive Cookie with Improper SameSite Attribute
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1275: Sensitive Cookie with Improper SameSite Attribute |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code sets cookies in a Pyramid application without properly setting the ‘samesite’ attribute to ‘Lax’. This omission makes cookies more vulnerable to being sent with cross-site requests, increasing the risk of unauthorized access.
Impact#
If exploited, an attacker could trick a user’s browser into sending your site’s cookies along with cross-site requests, potentially leading to session hijacking or unauthorized actions on behalf of the user. This weakens the application’s defenses against cross-site request forgery (CSRF) and may expose sensitive user data.