Samesite cookie attribute not being set using javascript

Question

I am trying to set SameSite attribute using javascript on my site . The code is

<script type="text/javascript">

    document.cookie = "AC-C=ac-c;expires=Fri, 31 Dec 9999 23:59:59 GMT;path=/;HttpOnly;SameSite=Lax";
  </script>

The cookie is being set but the SameSite attribute is not being set. Any idea where am I missing?

Thanks

What Browser are you using .? Please check link for browser support. https://caniuse.com/#feat=same-site-cookie-attribute — Srinivas GV, May 16 '18 at 02:16

score 21 · Answer 1 · answered Jun 09 '19 at 10:50

Your problem is not with SameSite, but with HttpOnly. HttpOnly and SameSite are 2 independent things, if you remove HttpOnly it will be working… and cookie will be set with SameSite.

<script>
    document.cookie = "AC-C=ac-c;expires=Fri, 31 Dec 9999 23:59:59 GMT;path=/;SameSite=Lax";
    alert( document.cookie );
</script>

score 10 · Answer 2 · answered Nov 12 '19 at 09:59

10

You can not set HttpOnly flag via JavaScript API document.cookie. Flag HttpOnly can be set only via cookie header in server response. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies Cookies created via JavaScript cannot include the HttpOnly flag.

You wrote The cookie is being set but the SameSite attribute is not being set but I think it is not truth. Cookie set via JS with attribute HttpOnly is rejected at all or maybe some browser set it but ignore HttpOnly flag - so finally your cookie is not HTTP only.

answered Nov 12 '19 at 09:59

mikep

5,880
2
30
37

You're right, my apologies. While I'd still argue that setting samesite on client-side is not very useful considering its purpose, my answer to OP's actual question is wrong and I'm withdrawing it. As you say, it *is* possible to set it from client-side. – Vasan Nov 14 '19 at 03:05
@Vasan You are right that setting SameSite=Strict/Lax is not very useful considering its purpose but consider SameSite=None... it is useful. Since Chrome v80 3rd parties (e.g. iframes) must set SameSite=None for cookie that is not Strict/Lax because chrome will not send it with CORS requests. Btw. in 3rd party iframe it is not possible to set SameSite=Strict/Lax, but only SameSite=None so in this use case enabling SameSite flag for JS API is not in conflict with SameSite purpose. – mikep Nov 15 '19 at 14:37
Yes, setting SameSite=None is not just useful but required when loaded as a third party iframe, and unfortunately it is not possible to set it from javascript. – Matt Cosentino Mar 31 '20 at 17:06

Samesite cookie attribute not being set using javascript

2 Answers2