Samesite of cookie

Time:2021-8-19

concept

Samesite prevents browsers from linking cookies toCross siteSent with the request. The main objective is to reduce the risk of cross source information disclosure. It also provides some protection against cross site request forgery attacks. The possible values for this flag are lax or strict.

Samesite can have the following three values:

Strict only allows one party to request to carry cookies, that is, the browser will only send cookies requested by the same site, that is, the current web page URL is exactly the same as the request target URL.
Lax allows some third-party requests to carry cookies
None sends cookies regardless of whether it is cross site or not

In the past, the browser default value was none, but now it is laxTherefore, current cross site Ajax requests will no longer carry cookies by default.
Samesite of cookie

Some understandings of Ajax (XMLHttpRequest) cross domain request carrying cookies

1、ajaxCross domain requests do not carry cookies by default. The withcredentials of XMLHttpRequest must be set to true
2. If the Ajax request is a cross site request, even if withcredentials is set, the cookie will not be carried. The cookie will be carried only when samesite is forcibly set to none. However, it should be noted that:When samesite is set to none, the cookie must be added with secure attribute (secure attribute means that if a cookie is set to secure = true, the cookie can only be sent to the server through HTTPS protocol, but not through HTTP protocol)