One way to mitigate CSRF attacks is to only allow cookies to be forwarded along with a request if they are from the same site, SameSite=Lax or SameSite=Strict. However, not all browsers support this setting yet.
If you are relying on this browser behavior then you need to block requests from old browsers—roughly 10% of the market. Otherwise, someone could perform a CSRF attack using an old browser.
See also:
- One way to secure web-based refresh tokens is set it in a
SameSitecookie
Links to this note
-
A refresh token in an OAuth setup using Json Web Tokens (JWT) is used to request a new access token. Because access tokens are short lived (to minimize the impact of a token being exfiltrated), a long lived refresh token is commonly used to, for example, stay logged into an app rather than need to log in every n minutes (the length of the access token).