While browsing a website, various cookies get saved in your web browser. These cookies provide a convenient mechanism for temporary storing some settings, specific to you. For example, your preferred order of items in a list, theme, and so on. Some cookies contain more sensitive information - for example your authentication cookie, which helps you access protected resources once successfully logged in, without prompting you to enter your credentials every time. Even though such cookies store the information using some sort of encryption, there is still an ongoing concern about this information falling in someone else's hands.
A specific in the web browser behavior is that when you make a request, the browser sends all cookies for the domain along the request. Even under normal browsing circumstances it's quite hard to track which domains you make requests to (and send your cookies). An average page loads multiple resources, which might not come from the website domain, for example images, scripts, styles, 3rd party integrations and so on, thus the complexity of tracking what requests happen under the hood, and which domains receive your browser cookies.
Take the following example: You are logged in your website (www.mysitefinitysite.com) backend. In the same browser you open a new tab and do a web search that leads you to a malicious website. This website contains some client-side script that targets your website domain (www.mysitefinitysite.com), for example hidden between an innocent-looking button or popup action. The attacker aims at obtaining control over your website, for example by creating and admin user, retrieving sensitive data, or deleting data. When this malicious website executes the script, the browser sends all cookies it has stored for your domain, in this case including your authentication cookie for the other site you have open in the same browser. Since the authentication cookie is valid, your website will process the request, ultimately granting the attacker the same level of access as yours to your website backend. This security vulnerability is also known as Cross Site Request Forgery or simply CSRF.
The Sitefinity CMS Web Security module enables IT Administrators to configure a centralized mechanism that helps securing the website cookies, thus preventing the CSRF vulnerability.
By default, different cookies may have different level of protection - depending on the out of the box implementation, or the way they have been developed, in case of customizations. The Web Security module enables you to define a minimum security policy for all website cookies. In other words, when you configure your Sitefinity CMS website cookies protection mechanism, the settings are applied to all website cookies. Think of it this way - if a cookie already has a higher security policy implemented, it will be used, but if a cookie has lower security than the one configured in the Web Security module, the module security settings take precedence, thus actively securing your cookie.
To configure the cookies protection mechanism follow these steps:
NOTE: When you manually enable this option, keep in mind that some of the cookies already issued by your website might have different expiration timeframes. Enabling or disabling the cookie protection mechanism does not result in invalidating all cookies expiration. If a cookie is still valid, it will take the new security settings only once it expires from the user's browser. To detect any undesired behavior when changing this setting, it is recommended that the IT administrator, making the change to clear all cookies from their web browser, so they can observe the effects of the changes right away.
NOTE: If you set the SameSite value to Strict, external authentication, such as Azure AD will not work.
Sign up for our free beginner training. Boost your credentials through advanced courses and certification. Register for Sitefinity training and certification.
To submit feedback, please update your cookie settings and allow the usage of Functional cookies.
Your feedback about this content is important