SameSite Cookie Attribute Explained
ON THIS PAGE
- Understanding Cross-Site and Same-Site Cookies
- What is the SameSite Cookie Attribute?
- The SameSite Attribute Values
- Browser-Specific Behavior of SameSite
- How to Set SameSite Cookie Attribute?
- Best Practices for Using the SameSite Attribute
- Why You Should Be Using CookieScript on Your Website?
- Frequently Asked Questions
SameSite cookie attribute is used by browsers to identify how first-party and Third-Party Cookies should be handled. Browsers can either allow or block such cookies depending on attribute and scenario. In this article, we will explain all the aspects of the SameSite attribute in details.
Understanding Cross-Site and Same-Site Cookies
Websites often integrate external services for analytics, content recommendations, advertising, social embeds, and other features. When users start browsing a website, these external services may set cookies in users’ browsers and collect information about users to deliver personalized content or measure user engagement. Websites themselves can also set cookies to monitor user behavior, so there could be different types of cookies stored on users’ browsers.
Every cookie has a domain associated with it. If the domain associated with a cookie matches the website’s domain, such cookie is called a same-site cookie, or a first-party cookie. If the domain associated with a cookie differs from the website’s domain, such cookie is called a cross-site cookie, or a third-party cookie.
Less obvious cross-site cookie usage cases include situations when a company owns multiple websites with different domains but identical cookies across those domains. For example, a company could own several websites for different hotels and a common reservations website. When a user visits the website of a hotel and decides to make a reservation, he is transferred to the more secure reservations website. Although the same company owns all websites and uses the same cookies, this still counts as cross-site context since the cookies’ domains do not match the sites from which the cookies were accessed.
See the guide on how to enable cross-domain cookie consent.
To comply with privacy laws, companies or websites must obtain user consent to store cookies on their devices and collect personal data. The most common way to inform users about cookies and collect user consent is to use a cookie banner on a website or app.
Some Consent Management Platforms (CMPs) like CookieScript allow cross-site cookie consent sharing to avoid repeating cookie banners.
However, with growing concerns about personal data privacy and potential security risks, especially with Third-Party Cookies, there's a need to control where to use these cookies.
That's where the SameSite attribute steps in, allowing developers to specify when a cookie is allowed and when a cookie is blocked based on where the request comes from.
Scan your website with a free Cookie Scanner and check what cookies, including Third-Party Cookies, your website uses:
What is the SameSite Cookie Attribute?
The SameSite attribute was first introduced by Google on its Chrome browser in 2020.
The SameSite attribute is a security feature for HTTP cookies that defines how cookies are sent along with cross-site requests.
By controlling when cookies are included in requests, the SameSite attribute is important for the following reasons:
- Preventing cross-site request forgery (CSRF). CSRF attack occurs when a malicious website or program tricks an authenticated user's web browser into performing an unwanted action on a trusted site. CSRF attacks inherit the user's cookies and thus session information, so hackers can send unauthorized commands to a website from a trusted user since they appear to be valid commands. Unprotected target sites cannot distinguish between legitimate authorized requests and forged authenticated requests. The SameSite attribute limits the conditions under which cookies could be sent, so this significantly reduces the risk of CSRF attacks.
- Enhancing privacy. The SameSite attribute helps restrict the exchange of cookies between sites, ensuring that personal sensitive data is not inadvertently exposed to third parties.
- Aligning with browser policies. Browsers have strict default SameSite behaviors. By properly configuring SameSite, you can ensure compatibility with browser policies and avoid unintended disruptions.
The SameSite attribute can have three possible values:
- Strict
- Lax
- None
The SameSite Attribute Values
On your website, you have three options to establish a SameSite cookie value: Strict, Lax, or None.
SameSite=Strict
As the name implies, the “Strict” value is a more aggressive form of cross-site request forgery prevention. When a cookie's SameSite attribute is set to Strict, the cookie will be sent only if the request originates from the same site. With the SameSite=Strict value, the web browser prevents cookie data from being transferred during cross-domain requests in all instances. A majority of websites that choose to set their SameSite value as “Strict” will be those in financial services, web banks, cryptocurrency, and others at high risk of cross-site request forgery attacks (CSRF).
However, it may lead to functionality issues, especially when cross-site communication is essential. For example, if you click on an external link that leads to a website that typically populates customization options from cookies, this data will likely not load correctly. You may have to type in the address in the toolbar in order to restore the customized features of the website.
SameSite=Lax
The SameSite=Lax attribute is a more relaxed form of cross-site request protection. With this setting, your web browser will allow most cross-domain cookie-sharing if these originate from a top-level GET request. This attribute is suitable for applications that require limited cross-site cookie usage, like login forms that redirect to another domain.
When the cookie's SameSite attribute is set to Lax, cookies won't be sent on cross-site resource requests, such as images, stylesheets, or scripts, but they will be sent for top-level navigations (e.g. when a user clicks on a link leading to the site).
SameSite=Lax is the default SameSite attribute value if it is not specified.
SameSite=None; Secure
The SameSite=None attribute will share cookies between sites with all cross-site requests. Cookies are sent on both originating and cross-site requests. However, to use this setting, the cookie must also have the Secure attribute, meaning it can only be transmitted over HTTPS connections. Ideally, you should never set this attribute unless you really need to. The SameSite=None attribute could be used for Third-Party Cookies, and employed for content embedding, analytics, and single sign-on (SSO) systems.
If the SameSite attribute isn't set, browsers will treat cookies as if they were set to Lax.
Browser-Specific Behavior of SameSite
Google's Chrome
Chrome was the first browser to enforce SameSite policies in 2020, starting with Chrome 80.
- Default behavior: if a cookie lacks the SameSite attribute, Chrome treats it as SameSite=Lax.
- SameSite=None requirements: cookies with SameSite=None must also have the Secure attribute, meaning they can only be transmitted over HTTPS connections.
- Chrome Developer tools: You can go to the Application tab > Cookies section to see cookies and their attributes. If attributes do not comply with SameSite or Secure requirements, Chrome provides warnings or errors for those cookies.
- How to test: Chrome has flags and developer tools to test and debug SameSite-related issues.
Mozilla Firefox
Firefox follows a similar SameSite attribute implementation rules as Chrome.
- Default behavior: if a cookie lacks the SameSite attribute, Firefox treats it as SameSite=Lax.
- SameSite=None requirements: cookies with SameSite=None must also be marked as Secure.
Mozilla Firefox 69 started enforcing stricter SameSite behaviors to align with privacy and security standards. - Firefox Developer tools: You can navigate to Storage > Cookies to view and edit cookie attributes.
- How to test: Firefox flags non-compliant cookies and offers insights into their behavior.
Microsoft Edge
Edge, built on the Chromium engine, has adopted the SameSite policies implemented by Chrome.
- Default behavior: the default SameSite attribute is Lax.
- SameSite=None requirements: cookies with SameSite=None must also be marked as Secure.
Apple Safari
Safari has been slower to adopt stricter SameSite policies compared to Chrome and Firefox.
- Default behavior: if a cookie lacks the SameSite attribute, Safari treats it as SameSite=None, but this may vary depending on the version.
- Safari also has Intelligent Tracking Prevention (ITP), which may interact with SameSite behaviors, especially for Third-Party Cookies.
Other Browsers
Smaller or less commonly used browsers also follow the general trend of enforcing stricter SameSite policies, particularly those built on Chromium like Brave or Opera.
Many browsers offer testing flags to simulate stricter SameSite behaviors. For example, you can go to chrome://flags in Chrome.
How to Set SameSite Cookie Attribute?
See the examples on how to implement the SameSite attribute in your applications.
In PHP:
setcookie('example_cookie', 'value', [
'expires' => time() + 3600, // 1 hour
'path' => '/',
'domain' => 'example.com',
'secure' => true,
'HttpOnly' => true,
'samesite' => 'Strict'
]);
In JavaScript:
While JavaScript can manipulate cookies, it’s often better to set the SameSite attribute server-side for the security reasons, like in this example:
document.cookie = "example_cookie=value; Secure; SameSite=Strict";
In HTTP Headers:
Set the SameSite attribute directly in the Set-Cookie header of the HTTP response:
Set-Cookie: example_cookie=value; Secure; HttpOnly; SameSite=Strict
Best Practices for Using the SameSite Attribute
Follow these best practices for selecting SameSite:
- Analyze your application needs and select the appropriate attribute.
Use Strict where cross-site requests are unnecessary.
Use Lax for most use cases when some cross-site requests are expected.
Use None; Secure only if Third-Party Cookies are essential - Use HTTPS. Ensure your website or application supports HTTPS to enable Secure cookies.
- Test your website or application. Use browser developer tools to check cookies and ensure they are behaving with SameSite as you set them.
- Stay updated. Browsers change implementations of SameSite over time. Follow the updates and keep your web applications compliant with the latest standards.
Why You Should Be Using CookieScript on Your Website?
CookieScript CMP is one the best cookie Consent Management Platforms (CMP), offering a wide range of features to obtain website compliance.
- CookieScript CMP was ranked by users as the best CMP on a peer-review site G2.
- Google-certified CMP.
- It also received a GOLD Tier in the New Google Tiering system.
Keeping up with the latest cookie regulations and making sure your website is in compliance is a job in itself. CookieScript keeps you compliant with GDPR, CCPA, and other regulations. And, it’s super-easy to use.
How it Works
CookieScript automatically does the following:
Block third-party cookies by default. CookieScript also gives you the option to prevent Third-Party Cookies from running on your website and it also makes the web a friendlier, more transparent experience for businesses and users.
Frequently Asked Questions
What is the SameSite cookie attribute?
A SameSite cookie attribute is a security feature for web cookies that defines how cookies are sent along with cross-site requests. The SameSite attribute can have three possible values: Strict, Lax, and None. CookieScript Cookie Scanner can scan your website and see what cookies your website uses and what attributes they have.
What does SameSite strict mean?
It’s an aggressive form of cross-site request forgery prevention. With the SameSite=Strict value, the web browser prevents cookie data from being transferred during cross-domain requests in all instances. The cookie will be sent only if the request originates from the same site. Scan your website to see what attributes your website cookies have.
What does SameSite lax mean?
When the cookie's SameSite attribute is set to Lax, cookies won't be sent on cross-site resource requests, such as images, stylesheets, or scripts, but they will be sent for top-level navigations (e.g. when a user clicks on a link leading to the site). This attribute is suitable for applications that require limited cross-site cookie usage, like login forms that redirect to another domain.
What does SameSite none mean?
The SameSite=None attribute will share cookies between sites with all cross-site requests. However, to use this setting, the cookie must also have the Secure attribute, meaning it can only be transmitted over HTTPS connections. The SameSite=None attribute could be used for Third-Party Cookies, and employed for content embedding, analytics, and single sign-on (SSO) systems. Ideally, it is not recommended to use this attribute for security reasons.
How do I fix the SameSite cookie problem?
Check what cookies your website uses and correct the cookie-related data, if needed. Update the cookie attributes, specifying SameSite=Strict, SameSite=Lax, or SameSite=None. Note that to use SameSite=None setting, the cookie must also have the Secure attribute, meaning it can only be transmitted over HTTPS connections. Ideally, you should never set this attribute unless you really need to. Scan your website to see what attributes your website cookies have.
How to set SameSite cookie attribute in Chrome?
View cookies in Chrome by going to the Application tab > Cookies section to see cookies and their attributes. If attributes do not comply with SameSite or Secure requirements, Chrome provides warnings or errors for those cookies. Chrome has flags and developer tools to test and debug SameSite-related issues. Set the right SameSite attribute to fix the SameSite cookie problem.
Where to check SameSite cookie in Chrome?
To view cookies in Chrome, open Chrome Settings (right-click on your browser window) > Inspect > Applications > Storage > Cookies, and select the website you want to see cookies in Chrome. Here you can see cookies and their attributes. If attributes do not comply with SameSite or Secure requirements, Chrome provides warnings or errors for those cookies. Set the right SameSite attribute to fix the SameSite cookie problem.
Where to check SameSite cookie in Firefox?
To see cookies in Firefox, navigate to Storage > Cookies, where you can view and edit cookie attributes. Firefox flags non-compliant cookies and offers insights into their behavior. Set the right SameSite attribute to fix the SameSite cookie problem, if any. Use CookieScript CMP to view cookies, create a cookie banner, and comply with privacy laws.