Samesite property of cookie


The samesite property of cookie is used to restrict the third-party cookie, so as to reduce the security risk

It can set three values:

  • Strict
  • Lax
  • None


Strict is the most strict,No third-party cookies are allowed. Cookies will not be sent under any circumstances when cross sites. In other words,Only if the URL of the current web page is consistent with the request target, the cookie will be brought.

Set-Cookie: CookieName=CookieValue; SameSite=Strict;

This rule is too strict and may cause a very bad user experience. For example, if there is a GitHub link on the current web page, users will not have a GitHub cookie when they click jump, and the jump is always not logged in.


Lax rules are slightly relaxed,In most cases, third-party cookies are not sent, except for get requests to navigate to the target web address.

Set-Cookie: CookieName=CookieValue; SameSite=Lax;

The get request for navigating to the target web address only includes three cases:Link, preload request, get form. See the table below for details.
Samesite property of cookie
After setting strict or lax, CSRF attacks are basically eliminated. Of course, the premise is that the user browser supports the samesite property.


Chrome plans to make lax the default.At this point,Websites can choose to explicitly turn off the samesite property and set it to none. however,The premise is that the secure property must be set at the same time (cookies can only be sent through the HTTPS protocol), otherwise it is invalid.

The following settings are invalid:

Set-Cookie: widget_session=abc123; SameSite=None

The following settings are valid:

Set-Cookie: widget_ Session = abc123; samesite = none; secure // you need to set the secure property at the same time: cookies can only be sent through the HTTPS protocol

New cookie settings in Chrome

Chrome 80 introduces two independent settings for users:

  • Samesite by default cookies: after setting, all cookies with unspecified samesite property will automatically force samesite = lax
  • Cookie without samesite must be secure:After setting,Cookie Set cookie without samesite property or with samesite property: samesite = none needs to be secure. In this context,Security means that all browser requests must follow the HTTPS protocol. Cookies that do not meet this requirement will be rejected. All websites should use HTTPS to meet this requirement.

Recommended Today

Practice analysis of rust built-in trait: partialeq and EQ

Abstract:Rust uses traits in many places, from simple operator overloading to subtle features like send and sync. This article is shared from Huawei cloud community《Analysis of rust built-in trait: partialeq and EQ》Author: debugzhang Rust uses traits in many places, from simple operator overloading to subtle features like send and sync. Some traits can be automatically […]