当 Set-Cookie 具有 HttpOnly 和 Secure 时 Session 问题

Question

Assume user is already logged into system. User performed the some activity and based on that they receive one email. Email has one link, if user clicks that they will be redirected to appropriate screen. But due to some reason when user try the hyperlink they logged out from system and have to login again.

After debugging it turns out that we have below rule in apache conf file.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=strict

After removing above line everything works as expected.

So i am trying to find out the reason behind it (ie why session issue occurs if above rule is in place). Also how i should add that rule without impacting session because http only & secure cookie is required as per security guide line.

Answer 1

You need to change SameSite=strict to SameSite=lax (or just remove it, since lax is default value)

The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link.
...

The default lax value provides a reasonable balance between security and usability for websites that want to maintain user's logged-in session after the user arrives from an external link.

https://www.owasp.org/index.php/SameSite

Answer 2

I had the same issue and use following code.

Note: Content-Security-Policy is to filter what type of data server should be allow to access and you can remove that line if you want.

#fixing vulnerability issues
TraceEnable Off
Header set X-Frame-Options SAMEORIGIN
Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always edit Set-Cookie (.*) "$1; Secure"
Header set Content-Security-Policy "frame-ancestors 'none'; default-src 'self' http://onecrm; script-src 'unsafe-inline' 'unsafe-eval' *; connect-src *; img-src data: *; style-src 'unsafe-inline' *;"

More reading: Set-Cookie , Cookies for dummies , SameSite cookie attribute