admin管理员组

文章数量:1131405

Let's say I am on the webshopA site where an auth cookie is stored - it is set to SameSite none unfortunately. Then I enter webshopB into the address bar and I press enter.

--> Now if webshopB owner checks the server logs, she/he will find my auth cookie from webshopA.

Is my understanding correct? So basically even if webshopB is not a malicious website, it still accessed my private information.

It is so hard for me to visualize this, I am a beginner. Thank you.

Let's say I am on the webshopA site where an auth cookie is stored - it is set to SameSite none unfortunately. Then I enter webshopB into the address bar and I press enter.

--> Now if webshopB owner checks the server logs, she/he will find my auth cookie from webshopA.

Is my understanding correct? So basically even if webshopB is not a malicious website, it still accessed my private information.

It is so hard for me to visualize this, I am a beginner. Thank you.

  • cookies
  • penetration-testing
Share Improve this question asked Jan 7 at 23:59 JohnesJohnes 495 bronze badges 1
  • The answer to your question is probably "no" but it's actually impossible to say without knowing (1) the full URL for webshopA and webshopB and (2) the rest of the cookie attributes (eg Domain and Path). But in general a cookie is never delivered to an entirely different site than the one it is set on, and unless your browser is atypical or misconfigured, even a cookie declared broadly (eg Domain=.com will not one honored by the browser. – gwcoffey Commented Jan 8 at 0:21
Add a comment  | 

1 Answer 1

Reset to default 0

Your question is not related to SameSite.

First, if SameSite=None is set, the following becomes possible:

You are originally logged in at webshopA, and the cookie has SameSite=None specified.

Next, you navigate to webshopB, and from a page on webshopB, you navigate to a page on webshopA using the POST method.

In this case, the cookie with SameSite=None is sent to webshopA.

If this cookie has SameSite=Lax, it will not be sent to webshopA with the POST method. If it's the GET method, it will be sent to webshopA.

SameSite=None does not cause cookies to be sent to other sites. It changes the behavior when navigating from other sites.

本文标签:

版权声明:本文标题:penetration testing - Is a SameSite=none cookie passed automatically to the next website the user navigates to? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736767197a1951882.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。