SameSite Cookie Attribute
The SameSite attribute determines whether a cookie gets sent during cross-site requests. There are four possible values:
| Strict | Cookies are only sent in a first-party context or navigating directly to a site. |
| Lax | Cookies are sent in some cross-site contexts, but not with embedded content. |
| None | Cookies are sent in all contexts, including cross-origin requests |
| (not set) | If the SameSite attribute is not specified, the behavior is browser dependent. |
How a browser determines a cross-site request will vary depending on the context of the request and the browser vendor. To learn more, follow some interactive examples below or try the SameSite playground.
#1 Cookies in an IFrame
If you're visiting this page for the first time, you've already collected cookies with different SameSite attributes in your browser session.
Try the following to remove all cookies and retrieve them again from the server:
Browser Cookies
On the first GET request, cookies are sent in the response from the server to the browser. On the second GET request, cookies with a ✅ next to them were sent and have been received by server.
Browser Behavior |
|
|---|---|
|
SameSite values of Strict and Lax are not sent in the IFrame because it is a cross site context |
|
No cookies are sent in the cross-site context inside the IFrame |
Did You Know?
When SameSite is not set on cookies, Chrome default the cookie to SameSite=Lax. For more info see the Chromium SameSite FAQ.
#2 Clicking a link to this site from different site
When navigating to this site from a different site (e.g., clicking a link), the browser will receive cookies with SameSite=Strict, but they won't be sent to the server on the first page load.
Try the following to remove all cookies and retrieve them again from the server, by accessing this site from a different site:
-
Link back to this site from a different site
Browser Cookies
Browser Behavior |
|
|---|---|
|
|
When returning to this site by clicking on a link, the cookie with the SameSite=Strict will not be sent. |
Did You Know?
Even if you hit refresh on the bowser, it won't send cookie with the SameSite=Strict. Chrome and Safari however will send it with a
#3 302 redirect from a different site
Just like when navigating to a site from a different site, cookies with the SameSite=Strict will not be sent on a 302 redirect.
-
302 redirect from a different site
Browser Cookies
Browser Behavior |
|
|---|---|
|
|
Only Lax and None cookies are sent after being redirected to this site from a different site. |
|
|
All cookies are sent after a 302 redirect from a different site. |
Did You Know?
A 302 redirect from a different site is treated differently by Chrome than a coming via a link.
#4 Cookies with secure=false
Cookies are sent with a secure attribute, that can be set to true or false. If secure is set to true then cookies can only be sent over secure (HTTPS) connections. If SameSite=None, then it is important to set secure=true, but not all browsers enforce this restriction.
Browser Cookies
Browser Behavior |
|
|---|---|
|
|
It's likely that all cookies are received with secure=false. |
|
|
Cookies with SameSite=None cannot be received unless secure=true is set on the cookie. |
Did You Know?
Eventually, none of browsers will support sending a SameSite cookie with secure set to false. Chrome has already made this change, see this blog post with more information.
#5 Sending cookies following a QR code
-
From your phone or another browser, scan this QR code to navigate to this page in a new browser session:
Browser Cookies
Browser Behavior |
|
|---|---|
|
|
Just like navigating to page from a different site, when visiting a page from a QR code the cookie with the SameSite=Strict will not be sent. |
Did You Know?
If you scan a QR code, it is just like navigating to a page from a different site.
I hope you enjoyed walking through these SameSite secnarios. If you are aware of other interesting SameSite behavior, please let me know!
Site built with ♡ using Go, AlpineJS, Tailwind CSS, and OpenMoji. For corrections or feedback please feel free to drop me an email 📧 or create an issue.