What is SameSite cookie?

Photo by Philipp Katzenberger on Unsplash

The SameSite attribute can be used to control whether and how cookies are submitted in cross-site requests. Current behavior allows third-party websites to access all cookies by default. This creates the possibility of cross-site request forgery (CSRF) attacks, other security vulnerabilities and privacy leaks. The SameSite cookie attribute restricts this browser behavior and prevent the browser from sending the cookie’s key-value pair based on the type of interaction that triggered the HTTP request.

Chrome, Firefox and others will be changing their default behavior in line with the IETF proposal, Incrementally Better Cookies and will begin enforcing a new secure-by-default cookie classification system, treating cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies set as SameSite=None; Secure will be available in third-party contexts, provided they are being accessed from secure connections.

According to the online traffic monitor StatCounter, Chrome is the most popular web browser, and this change will affect 64% of the world’s internet users in 2020. These changes will also dramatically impact advertisers, publishers, or any company relying on cookies to target their audience. Be sure to prepare in advance so your users won’t experience disruptions.

Chrome 80 update

From the 4th of February this will become the default behavior in Chrome 80. If you currently provide cookies that are intended for cross-site usage you will need to make changes.

How to implement SameSite

For cookies where they are only needed in a first-party context you should ideally mark them as SameSite=Lax or SameSite=Strict depending on your needs. You can also choose to do nothing and just allow the browser to enforce its default, but this comes with the risk of inconsistent behavior across browsers and potential console warnings for each cookie.

For cookies needed in a third-party context, you will need to ensure they are marked as SameSite=None; Secure. Note that you need both attributes together. If you just specify None without Secure the cookie will be rejected.

Accepted attribute values for SameSite

strict - The browser will only send cookies for first-party context requests (requests originating from the site that set the cookie). If the request originated from a different URL than that of the current location, none of the cookies tagged with the Strict attribute will be sent.

lax - Cookies will be sent automatically only in a first-party context and with HTTP GET requests. SameSite cookies will be withheld on cross-site sub-requests, such as calls to load images or iframes, but will be sent when a user navigates to the URL from an external site, e.g., by following a link.

none - Cookies will be sent in both first-party context and cross-origin requests; however, the value must be explicitly set to None and all browser requests must follow the HTTPS protocol and include the Secure attribute which requires an encrypted connection. Cookies that don’t adhere to that requirement will be rejected. Both attributes are required together. If just None is specified without Secure or if the HTTPS protocol is not used, the third-party cookie will be rejected.




I drink a lot of tea and build beautiful websites. If you are looking to work together or just start a conversation 👉 https://www.ronaldsvilcins.com/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

[SOLVED] Error code 0x8007007f during Windows 11 installation

KEBAB — BNB LP is now part of PrivacySwap’s newest Vault features that assure boosted revenue

Ontology Partners With 4EVERLAND to Accelerate Web 3.0 Adoption

Secure your home with $95 off Eufy’s smart lock and video doorbell

Update TKEYSPACE 1.3.0 on Android

{UPDATE} simulador de vida 3D de mãe Hack Free Resources Generator

{UPDATE} Scream Non Stop Hack Free Resources Generator

Spectre and Meltdown: What you need to know

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ronalds Vilcins

Ronalds Vilcins

I drink a lot of tea and build beautiful websites. If you are looking to work together or just start a conversation 👉 https://www.ronaldsvilcins.com/

More from Medium

L&D series: Generate GitHub token

Android Static analysis- How to pull APK?

Configure Custom domain name & SSL certificate for a Netlify website

From zero to hero — JWT