Web HTTP - SameSite Cookie property (First-Party-Only)


samesite is a cookie property that controls if a cookie should be sent along in a cross-site HTTP request ie:

The browser reads this value when doing a browser request (fetch) and determines if it should add to the request:

Example and confusion

Consider the scenario in which a user:

If intranet.com has marked the session cookie with the samesite value as:

    • The browser won't add the session cookie to this cross-site request
    • first.com will respond with a 401 error (Non authorized).
    • The user is confused because they are authorized to see this project and they were already logged in
  • lax or none:
    • The browser will add the session cookie to this cross-site request

How to avoid the confusion?

Developers can avoid this confusion by adopting a session management system that relies on not one, but two cookies 1):

Number Cookie Authorization SameSite Description
1 read Lax (or empty) Allow users access to data via top-level navigation
2 write Strict Disallow write operation via top-level navigation

The absence of the second cookie would provide a reauthentication step before executing any non-idempotent action.

Usage / Use Case


When a cookie is a same-site cookie (ie with the strict or lax value), this parameter allows a robust defense against:


The strict or lax value are inappropriate for:

  • content embedding in a cross-site contexts (social networking widgets or commenting services, for instance) where the user's state is needed
  • Single-Sign-On that require authentication in a cross-site context


SameSite values


Lax is the Default in browser


  • are allowed to be sent with top-level navigations (when this is the first navigation)
  • will be sent along with safe request (request method that does not changes state such as GET, HEAD) initiated by a third-party website.
  • are prohibited for an unsafe request method (ie request method that changes state such as POST, PATCH, PUT).

In other words, first-party cookies:

  • are not sent on cross-site sub-requests, such as calls to load images or frames,
  • are sent when a user navigates to the URL from an external site (third-party website), for example, by following a link.


In Strict mode, cookies

  • are not added for any kind of cross-site request. (They will not be added along with requests initiated by third-party websites).
  • are only be sent in a first-party context (same-site)

The browser will only send cookies for same-site requests (requests originating from the site that set the cookie).

  • If the request originated from a different URL than the URL of the current location, none of the cookies tagged
  • with the Strict attribute will be included.


In None mode, Cookies will be sent in all contexts, i.e sending cross-origin is allowed (ie third party cookie are added)

In this mode, the security flag should be set (ie HTTPS is mandatory)

For development purposes, you can disable the security requirement with a option flag.


A same-site cookie is a cookie where the same-site value has been set to strict or lax

Top-level site

The “top-level site” is the registered/apex domain in the address bar of the browser.

Same-site vs Cross-site

A request is:


  • login.example.com and blog.example.com will trigger same-site request because they share the same apex domain.

Documentation / Reference

Discover More
Devtool Tracking Cookie Identifier Counter
How does a tracking cookie work? A step by step example

This page shows you a basic example of a tracking ... cookie so that you can understand and implement the underlying mechanisms. These cookies are third-party cookie. A tracking cookie is also known...
What are safe and unsafe requests?

In a HTTP security context, requests are: safe if they don't have a method that changes the state (ie GET, HEAD) unsafe otherwise (ie with the method POST, PATCH, PUT) When the type of request has...
What are the elements of security in HTTP? Security headers and cookie properties explained

In HTTP, the security is done via the setting of: response header known as security header that drives the execution of the browser page load cookies properties mostly samesite that control if the...
Chrome Cookies
What is a Cookie? (HTTP Set-Cookie Header )

A cookie is: a key-value data with some associated that control how the browser should manage them. set by a HTTP response via the set-cookie header The received cookies by the browser can be...
What is a Cross-site request forgery attack (CSRF)? Web Security

A Cross-site request forgery (CSRF) is: a http request made by real users unknowingly with the help of the browser from a website to another target website (ie making the request a cross-site...
Chrome Cookie Configuration
What is a Third-party (3P) Cookie and how it works?

Third party Cookies are cookies created by other sites (ie that comes from another domain (ie a third party) than the hosted web page. These sites own some of the content, like ads or images, that you...

Share this page:
Follow us:
Task Runner