Ola Lundqvist <ola@inguza.com> writes:
> I have ideas on how we can reduce the attack possibilities but I cannot
> find any perfect solution to this.
What about setting samesite=Lax in the session Cookie? This should solve
all problems for POST requests. Are there any vulnerable GET requests?
Additionally this is already the default for Chrome (I don't think
Firefox has done this yet though).
https://web.dev/samesite-cookies-explained/
I posted this suggestion upstream also, but got no response - yet.
https://github.com/phppgadmin/phppgadmin/issues/94#issuecomment-597464834
Only problem is older browsers won't be protected, I am not sure this is
a big issue however.
I imagine setting the samesite value will be a lot less invasive then
some of the other solutions being discussed here.
The other problem might be implementing this. I see PHP has a
session.cookie_samesite option but this was only implemented in PHP >=
7.3
https://www.php.net/manual/en/session.configuration.php
--
Brian May <bam@debian.org>