GitHub

SameSite Cookie Attribute


The SameSite attribute determines whether a cookie gets sent during cross-site requests. There are four possible values:

StrictCookies are only sent in a first-party context or navigating directly to a site.
LaxCookies are sent in some cross-site contexts, but not with embedded content.
NoneCookies are sent in all contexts, including cross-origin requests
(not set)If the SameSite attribute is not specified, the behavior is browser dependent.

How a browser determines a cross-site request will vary depending on the context of the request and the browser vendor. To learn more, follow some interactive examples below or try the SameSite playground.

#1 Cookies in an IFrame

If you're visiting this page for the first time, you've already collected cookies with different SameSite attributes in your browser session.
Try the following to remove all cookies and retrieve them again from the server:

Browser Cookies

Strict
Lax
None
(not set)
🍪 = cookie is available to the browser
= cookie was sent to the server

On the first GET request, cookies are sent in the response from the server to the browser. On the second GET request, cookies with a ✅ next to them were sent and have been received by server.

Browser Behavior

chrome firefox
SameSite values of Strict and Lax are not sent in the IFrame because it is a cross site context
safari
No cookies are sent in the cross-site context inside the IFrame
Did You Know?

When SameSite is not set on cookies, Chrome default the cookie to SameSite=Lax. For more info see the Chromium SameSite FAQ.

#2 Clicking a link to this site from different site

When navigating to this site from a different site (e.g., clicking a link), the browser will receive cookies with SameSite=Strict, but they won't be sent to the server on the first page load.

Try the following to remove all cookies and retrieve them again from the server, by accessing this site from a different site:

#3 302 redirect from a different site

Just like when navigating to a site from a different site, cookies with the SameSite=Strict will not be sent on a 302 redirect.

#4 Cookies with secure=false

Cookies are sent with a secure attribute, that can be set to true or false. If secure is set to true then cookies can only be sent over secure (HTTPS) connections. If SameSite=None, then it is important to set secure=true, but not all browsers enforce this restriction.

#5 Sending cookies following a QR code

Playground

Browser Cookies

Strict
Lax
None
(not set)
🍪 = cookie is available to the browser
= cookie was sent to the server
qrcode scan qr code

I hope you enjoyed walking through these SameSite secnarios. If you are aware of other interesting SameSite behavior, please let me know!


Site built with ♡ using Go, AlpineJS, Tailwind CSS, and OpenMoji. For corrections or feedback please feel free to drop me an email 📧 or create an issue.