0

I have a ASP.NET web application running in IIS that handles the authentication session with cookies.

A customer wants to display this application inside an iframe of another application. However, AFAIK this would force me to set SameSite=None for my auth cookie, which would make it vulnerable to CRSF attacks (an also fail in any pentest audit).

Is there any way to keep my auth cookies with SameSite=Lax while displaying the application inside an iframe? If not, is there any secure alternative?

Tao Gómez Gil
  • 2,228
  • 20
  • 36
  • I don't understand your CSRF concern and don't see why `SameSite=None` should fail a pen test, see also [here](https://stackoverflow.com/questions/76851436/keycloak-uses-samesite-none-and-failing-in-pen-test). But cookies in an iframe (not just auth cookies) are likely to be blocked as third-party cookies. – Heiko Theißen Aug 29 '23 at 14:47
  • About the CSRF concern, `SameSite=Lax` is meant as a protection against CRSF attacks, see for instance https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute About the pentest, usually companies doing security audits demand cookies to have SameSite Lax or Strict. – Tao Gómez Gil Aug 29 '23 at 15:05
  • 1
    You won't be able to have cross-site cookies in iframes anyway once browsers start enforcing [third-party cookie blocking](https://privacysandbox.com/open-web/#the-privacy-sandbox-timeline). – Heiko Theißen Aug 29 '23 at 15:21
  • This link may help you: [https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite](https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite). – samwu Aug 30 '23 at 08:45

0 Answers0