We use cookies to ensure that we give you the best experience on our website.  Visit our Privacy Policy to learn more. If you continue to use this site, we will assume that you are okay with it.

Your choices regarding cookies on this site.
Your preferences have been updated.
In order for the changes to take effect completely please clear your browser cookies and cache. Then reload the page.

Werk #11492: Auth cookies: Specify SameSite attribute to improve cookie security

ComponentGUI
TitleAuth cookies: Specify SameSite attribute to improve cookie security
Date2020-09-11 11:34:37
Checkmk EditionCheckmk Raw Edition (CRE)
Checkmk Version2.0.0i1
LevelTrivial Change
ClassSecurity Fix
CompatibilityCompatible - no manual interaction needed

The authentication cookies of the Checkmk GUI (auth_[site]) previously relied on the browsers default behaviour regarding the same site policy. This resulted in a) an inconsistent cookie handling across the different browsers and b) allow some sort of Cross-site request forgery (CSRF) attacks.

With this change we explicitly set the "SameSite=Lax" setting for all authentication cookies created by logins after updating Checkmk.

For more information about this HTTP cookie setting have a look at https://web.dev/samesite-cookies-explained/.