ÄÄÇ»ÅÍ ¸Þ½ÃÁö : Because a cookie¡¯s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being set in a cross-site context. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.Resolve this issue by updating the attributes of the cookie:
- Specify
SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute. - Specify
SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests.
´äº¯ : ÀÌ °æ°í ¸Þ½ÃÁö´Â º¸Åë ÄíÅ°°¡ ´Ù¸¥ µµ¸ÞÀο¡¼ ¼³Á¤µÇ´Â °æ¿ì¿¡ ºê¶ó¿ìÀú ÄÜ¼Ö ·Î±×¿¡¼ º¼ ¼ö ÀÖ½À´Ï´Ù. ÃÖ±Ù ºê¶ó¿ìÀúµéÀº º¸¾ÈÀÌ µÇÁö ¾ÊÀº ¿¬°á(Áï, HTTPS ¿¬°áÀÌ ¾Æ´Ñ °æ¿ì)¿¡¼ Á¦3ÀÚ ÄíÅ°°¡ ¼³Á¤µÇ´Â °ÍÀ» Â÷´ÜÇÕ´Ï´Ù. ÀÌ·¯ÇÑ µ¿ÀÛÀº »ç¿ëÀÚ µ¥ÀÌÅÍ°¡ ´Ù¸¥ µµ¸ÞÀο¡¼ ¿äû À§Á¶ °ø°Ý(CSRF)À¸·Î ÀÎÇØ À¯ÃâµÇ´Â °ÍÀ» ¹æÁöÇϱâ À§ÇÑ °ÍÀÔ´Ï´Ù.
ÀÌ ¹®Á¦¸¦ ÇØ°áÇÏ·Á¸é ÄíÅ°ÀÇ ¼Ó¼ºÀ» ¾÷µ¥ÀÌÆ®ÇÏ¿© ´ÙÀ½°ú °°Àº °ªÀ» ¼³Á¤ÇÏ¸é µË´Ï´Ù:
ÄíÅ°°¡ ´Ù¸¥ µµ¸ÞÀο¡¼ ¼³Á¤µÇ´Â °æ¿ì¿¡´Â SameSite=None ¹× Secure¸¦ ¼³Á¤ÇÕ´Ï´Ù. ´Ü, ÄíÅ°´Â HTTPS ¿¬°áÀ» ÅëÇØ Àü¼ÛµÉ ¶§¸¸ Secure ¼Ó¼ºÀ» »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù.
ÄíÅ°°¡ ´Ù¸¥ µµ¸ÞÀο¡¼ ¼³Á¤µÇ¸é ¾È µÇ´Â °æ¿ì¿¡´Â SameSite=Strict ¶Ç´Â SameSite=Lax¸¦ ¼³Á¤ÇÕ´Ï´Ù.
SameSite=None ¹× Secure¸¦ ¼³Á¤Çϸé ÄíÅ°°¡ ´Ù¸¥ µµ¸ÞÀο¡¼µµ »ç¿ë °¡´ÉÇϹǷΠÀÌ·¯ÇÑ °ªÀ» »ç¿ëÇÒ ¶§´Â º¸¾È ¹®Á¦°¡ ¹ß»ýÇÏÁö ¾Êµµ·Ï ÁÖÀÇÇØ¾ß ÇÕ´Ï´Ù. ´Ù¸¥ µµ¸ÞÀÎ °£¿¡ ÄíÅ°¸¦ ²À ÇÊ¿äÇÑ °æ¿ì¿¡¸¸ ÀÌ ¹æ¹ýÀ» »ç¿ëÇÏ´Â °ÍÀÌ ÁÁ½À´Ï´Ù.
ÀÌ·¯ÇÑ ¼Ó¼ºÀ» ÄíÅ°¿¡ ¼³Á¤ÇÏ·Á¸é ¼¹ö Ãø ÀÀ´ä¿¡¼ Set-Cookie Çì´õ¸¦ »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù. ¿¹¸¦ µé¾î, SameSite=None ¹× Secure ¼Ó¼ºÀ» °¡Áø mycookie¶ó´Â À̸§ÀÇ ÄíÅ°¸¦ ¼³Á¤ÇÏ·Á¸é ´ÙÀ½°ú °°Àº Äڵ带 »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù:
____document.cookie____ = "cookieName=cookieValue; SameSite=None; Secure";
À§ Äڵ忡¼ cookieNameÀº ÄíÅ°ÀÇ À̸§, cookieValue´Â ÄíÅ°ÀÇ °ªÀÔ´Ï´Ù. SameSite=NoneÀ» Ãß°¡ÇÏ¿© ÄíÅ°°¡ ´Ù¸¥ µµ¸ÞÀο¡¼µµ ¼³Á¤µÉ ¼ö ÀÖµµ·Ï ÇÏ°í, Secure¸¦ Ãß°¡ÇÏ¿© HTTPS¸¦ ÅëÇؼ¸¸ ÄíÅ°°¡ Àü¼ÛµÉ ¼ö ÀÖµµ·Ï ¼³Á¤ÇÕ´Ï´Ù.
ÀÌ¹Ì Á¸ÀçÇÏ´Â ÄíÅ°ÀÇ °æ¿ì, ____document.cookie____¸¦ »ç¿ëÇÏ¿© ÄíÅ°ÀÇ °ªÀ» ¼öÁ¤ÇÒ ¼ö ÀÖ½À´Ï´Ù. ÀÌ °æ¿ì¿¡µµ À§¿Í °°Àº ¹æ¹ýÀ¸·Î SameSite ¼Ó¼ºÀ» Ãß°¡ÇÏ¸é µË´Ï´Ù.
ÄíÅ°¸¦ ¼³Á¤ÇÏ´Â ÄÚµå´Â À¥ ÆäÀÌÁöÀÇ ¾îµð¿¡¼µç ½ÇÇàÇÒ ¼ö ÀÖÁö¸¸, ÀϹÝÀûÀ¸·Î ÆäÀÌÁö ·Îµù ½Ã ½ÇÇàµÇ´Â ½ºÅ©¸³Æ® Áß Çϳª·Î ¼³Á¤µË´Ï´Ù.
¶ÇÇÑ, SameSite ¹× Secure ¼Ó¼ºÀº ÄíÅ°°¡ ºê¶ó¿ìÀú¿¡¼ Àü¼ÛµÉ ¶§ HTTPS¸¦ »ç¿ëÇÏ´Â °æ¿ì¿¡¸¸ Àû¿ëµË´Ï´Ù. µû¶ó¼, ÀÌ Äڵ带 »ç¿ëÇϱâ Àü¿¡ ÇØ´ç À¥»çÀÌÆ®°¡ HTTPS¸¦ »ç¿ëÇÏ°í ÀÖ´ÂÁö È®ÀÎÇØ¾ß ÇÕ´Ï´Ù.
¾Æ·¡´Â window.onload À̺¥Æ®¸¦ »ç¿ëÇÏ¿© ÄíÅ°¸¦ ¼³Á¤ÇÏ´Â ¿¹Á¦ÀÔ´Ï´Ù.
window.__onload =__ function() {
__document.cookie__ = "cookieName=cookieValue; SameSite=None; Secure";
}
À§ ÄÚµå´Â ÆäÀÌÁö ·ÎµùÀÌ ¿Ï·áµÈ ÈÄ¿¡ ½ÇÇàµÇ¸ç, cookieName°ú cookieValue´Â °¢°¢ »ç¿ëÀÚ°¡ ¼³Á¤ÇÏ·Á´Â ÄíÅ°ÀÇ À̸§°ú °ªÀ¸·Î ´ëüÇØ¾ß ÇÕ´Ï´Ù.
