Hello,
We have below SameSite=None setting at our webseal reverse proxy instance. This is because we want our third party integrations to call our keepAlive resource to keep the ISVA session alive while user is active on the third party website. User can finish the work on that third party site and come back to ISVA hosted application with the session alive.
Below is the SameSite=none setting at WebSEAL config.
[cookie-attributes]
PD-S-SESSION-ID = SameSite=None; Secure
Now the problem is, because of SameSite=None, there is CSRF vulnerability at ISVA. Attacker can build a simple html form to POST a payload to a backend junction endpoint and change the state of the user.
How can we avoid this CSRF attack while not disabling the keepAlive solution.