[Tenable] Cookie Without SameSite Flag Detected (revisit when we upgrade to Django 2.1) #3070
Comments
|
@lbeaufort is there more information about this? Are the cookies in question being set on a specific page or section of the site? What's the name of those cookies? As far as I can see, the cookies that we set are secure, though we're using Google Analytics that may be setting simpler cookies even though we're requesting that it use the secure options. |
|
Sorry the message is so vague, it's what I was sent. Here's the only other helpful data I could dig out from the report, let me know if this helps at all:
|
|
Was working on this last week. Doesn't seem crucial for our cookie use (e.g., PII) but @patphongs advised to check with Michael. Will reach out to him. |
|
It looks like we may not be able to address #1 until we upgrade to at least Django 2.1 when the SameSite capability was added: https://docs.djangoproject.com/en/2.2/ref/settings/#std:setting-SESSION_COOKIE_SAMESITE |
|
I have an email out to GSA about #2 |
|
It looks like we may need to mark these two different issues as known / won't fix. #1 - We can fix it after we upgrade to Django 2.1 but it's not a big issue for us since we aren't offering users anything near logins and we aren't collecting PII #2- I got a reply from Freddie at DAP that the cookie doesn't contain PII (and, not being our cookie, we can't really change anything about it):
|
rfultz
changed the title
PaulClark2
changed the title
|
Blocked until we upgrade to Django 2.1. Leaving in the |
|
Django was recently upgraded to LTS v2.2.10 and deployed to The CSRF token is NOW set after the Django upgrade. We can close this issue. Django v2.2 documentation: |
|
@lbeaufort @pkfec @patphongs this was reopened so I'm moving it from Sprint 11.6 to "no milestone" and adding "Needs prioritization". |
|
Samesite flag is set on the CSRF token, this is remediated. |
1. Cookie Without SameSite Flag Detected
When the SameSite flag is set on a cookie, the browser will prevent it from being sent along with cross-site requests. This can help prevent Cross-Site Request Forgery (CSRF) attacks. |
Remediation path: If the cookie contains sensitive information, then the server should ensure that the cookie has the SameSite flag set. This flag can have two values: strict or lax. With the strict value the cookie will only be sent if the request originates from the same website. With the lax value the cookie will only be sent for GET requests.
References: https://www.owasp.org/index.php/SameSite
2. Cookie Without Secure Flag DetectedWhen thesecureflag is set on a cookie, the browser will prevent it from being sent over a clear text channel (HTTP) and only allow it to be sent when an encrypted channel is used (HTTPS). The scanner discovered that a cookie was set by the server without the secure flag being set. Although the initial setting of this cookie was via an HTTPS connection, any HTTP link to the same server will result in the cookie being sent in clear text. Note that if the cookie does not contain sensitive information, the risk of this vulnerability is mitigated.Remediation path: If the cookie contains sensitive information, then the server should ensure that the cookie has thesecureflag set.References:https://www.owasp.org/index.php/SecureFlagMoved #2 to #3102
The text was updated successfully, but these errors were encountered: