cookiessession-cookieswhitelistsamesite

Whitelisting domains for samesite=strict cookies


I would like to keep my client website portal cookies set to samesite=strict, but then also allow specific 3rd party domains to do redirects back to my website to be able to use my site cookies to maintain the current users login session. However I don't think there is any native method to do this...please confirm/correct this assumption?

And if a native method does not exist I am exploring a custom option that would set cookies to samesite=lax but then add my own whitelist to accept or reject the redirects. That whitelist would exist in my user authentication scripts and would accept redirects from whitelisted domains (thus allowing current login sessions to be maintained) and then reject all other non-whitelisted redirects to the login screen. My thought here is that non-whitelisted redirects would still be offered the cookies by the browser - potentially allowing those cookies to be captured - but it wouldn't matter because the page doing the validation would immediately delete all cookies and then redirect the user to the login page which would then force all new cookie values - even sessionID.

I believe the concept would work, but am looking for input about the pros/cons of this whitelist concept - and if it even really matters, if am over thinking this, or problems I would encounter if I implement it.

Thanks in advance for contributing discussions.


Solution

  • You cannot reliably know from which website the redirection came, because according to their Referrer Policy, many websites don't include the Referer header when they make redirects. And a redirect without Referer header is indistinguishable from a request made by typing in the URL.