In the internet before thinking about security issues and caring about things like CSRF attacks, cookies just worked. Then Google had to come along to spoil the naive party.
Cookies used without a SameSite setting used to default to
SameSite=None behavior. Now Chrome (as of version 84+) defaults to Lax(ish/* ) and if you want to set it to
None it will also require making it a
Secure cookie, which means it needs to be on https (it's 2020 so this shouldn't be an issue).
Google's decisions here are all for the right reasons and other browsers are agreeing. However for now it can be a bit if a bumpy ride.
Safari has a painful bug. Setting
SameSite: None makes it invalid which makes it then sets it to
- Agent sniffing. Eeewwwwww!
- Create a duplicate legacy cookie
- Accept the break for older versions
SameSite as the way forward and the new normal. When creating cookies, be sure to set the value to
None (with Secure if it's None). This will also avoid a future surprise when chromes temporary laxish behavior switches to Lax.
After this you can then decide if supporting the old version is required for your site, and the best solutions or workarounds that are required.