samesite is a cookie property that controls if a cookie should be sent along in a cross-site HTTP request ie:
The browser reads this value when doing a browser request (fetch) and determines if it should add to the request:
Consider the scenario in which a user:
If intranet.com has marked the session cookie with the samesite value as:
Developers can avoid this confusion by adopting a session management system that relies on not one, but two cookies 1):
Number | Cookie Authorization | SameSite | Description |
---|---|---|---|
1 | read | Lax (or empty) | Allow users access to data via top-level navigation |
2 | write | Strict | Disallow write operation via top-level navigation |
The absence of the second cookie would provide a reauthentication step before executing any non-idempotent action.
When a cookie is a same-site cookie (ie with the strict or lax value), this parameter allows a robust defense against:
The strict or lax value are inappropriate for:
SameSite values
Lax is the Default in browser
Cookies:
In other words, first-party cookies:
In Strict mode, cookies
The browser will only send cookies for same-site requests (requests originating from the site that set the cookie).
In None mode, Cookies will be sent in all contexts, i.e sending cross-origin is allowed (ie third party cookie are added)
In this mode, the security flag should be set (ie HTTPS is mandatory)
For development purposes, you can disable the security requirement with a option flag.
A same-site cookie is a cookie where the same-site value has been set to strict or lax
The “top-level site” is the registered/apex domain in the address bar of the browser.
A request is:
Example: