What is SameSite cookie?

SameSite is an attribute that can be included in the Set-Cookie HTTP response header to declare whether your cookie should be restricted to a first-party or same-site context. Its primary goal is to mitigate Cross-Site Request Forgery (CSRF) attacks and enhance user privacy by controlling when cookies are sent with cross-site requests.

What are SameSite Cookies?

SameSite is an attribute for HTTP cookies that helps to prevent CSRF attacks. When the SameSite attribute is set, browsers will restrict how cookies are sent with requests originating from different websites. This mechanism adds a layer of security by making it harder for malicious sites to trick a user's browser into sending cookies to a trusted site.

SameSite Attribute Values

The SameSite attribute can take three possible values: 'Lax', 'Strict', and 'None'.

Lax

This is the default value for SameSite if not explicitly specified by many modern browsers. Cookies with SameSite=Lax are sent with top-level navigation (e.g., when clicking a link to the site) and GET requests, but not with other cross-site requests like POST requests, images, iframes, or XHR requests. It provides a good balance between security and user experience for many common use cases, protecting against most CSRF attacks while allowing some legitimate cross-site functionality.

Strict

Cookies with SameSite=Strict are only sent with requests initiated from the same site where the cookie was originally set. This means if a user navigates to your site via a link from another site, the cookie will not be sent. This provides the highest level of protection against CSRF attacks but can be overly restrictive for some legitimate cross-site interactions, potentially breaking user experience (e.g., single sign-on flows).

None

Cookies with SameSite=None are sent with all requests, including cross-site requests. This effectively removes the SameSite protection. However, when SameSite=None is used, the cookie *must* also be set with the Secure attribute, meaning it will only be sent over HTTPS connections. This is necessary for services that intentionally require cross-site cookie usage, such as third-party embeds, widgets, or single sign-on providers.

How to Set SameSite in HTTP Headers

The SameSite attribute is set in the Set-Cookie HTTP response header sent by the server.

Set-Cookie: session_id=abc; Expires=Wed, 21 Oct 2023 07:28:00 GMT; HttpOnly; SameSite=Lax
Set-Cookie: login_token=xyz; Max-Age=3600; Secure; HttpOnly; SameSite=Strict
Set-Cookie: tracking_cookie=123; Expires=Thu, 31 Dec 2024 23:59:59 GMT; Secure; SameSite=None

Impact and Considerations

• Security: SameSite cookies significantly enhance protection against CSRF attacks.
• Browser Defaults: Most modern browsers now default to SameSite=Lax if no SameSite attribute is specified, even for existing cookies.
• Cross-Site Compatibility: If your application relies on cookies being sent in a third-party context (e.g., embedded content, federated login), you must explicitly set SameSite=None; Secure.
• Backward Compatibility: For older browsers that don't support SameSite=None, sending SameSite=None might cause them to ignore the attribute entirely and treat the cookie as if no SameSite attribute was set (i.e., sending it cross-site without Secure protection). Testing across different browser versions is crucial.