Contact

SameSite Cookies

In the internet before thinking about security issues and caring about things like CSRF attacks, cookies just worked. Then Google had to come along to spoil the naive party.

Cookies used without a SameSite setting used to default to SameSite=None behavior. Now Chrome (as of version 84+) defaults to Lax(ish/* ) and if you want to set it to None it will also require making it a Secure cookie, which means it needs to be on https (it's 2020 so this shouldn't be an issue).

Google's decisions here are all for the right reasons and other browsers are agreeing. However for now it can be a bit if a bumpy ride.

Understanding Strict, Lax and None.

Safari has a painful bug. Setting SameSite: None makes it invalid which makes it then sets it to Strict 🤦‍♂️.

Options

  • Agent sniffing. Eeewwwwww!
  • Create a duplicate legacy cookie
  • Accept the break for older versions

Suggestion

Embrace SameSite as the way forward and the new normal. When creating cookies, be sure to set the value to Lax, Strict or None (with Secure if it's None). This will also avoid a future surprise when chromes temporary laxish behavior switches to Lax.

After this you can then decide if supporting the old version is required for your site, and the best solutions or workarounds that are required.

Resources


I'm not using comments on this site so feel free to tweet me for any questions, praise, or general conversation.