Use this tag for questions about errors caused by a browser ignoring a Set-Cookie header—especially for cross-origin requests—due to a SameSite attribute being missing or having a certain value. Also for questions about implementing SameSite in your site's response headers. Consider adding the [cookies] tag too. SameSite instructs browsers to either restrict a cookie to first-party / same-site contexts or allow it in third-party / cross-site contexts.
The SameSite attribute for the Set-Cookie response header instructs browsers to either restrict a cookie to first-party / same-site contexts or allow it in third-party / cross-site contexts.
- https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
- https://web.dev/samesite-cookies-explained/
- https://web.dev/samesite-cookie-recipes
- https://www.chromium.org/updates/same-site/test-debug
In your browser devtools console, you may see an error such as the following:
A cookie associated with a cross-site resource at was set without the
SameSiteattribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure.
For a Set-Cookie response header which lacks the SameSite attribute, browsers are beginning to treat the Set-Cookie response header as if it had a SameSite=Lax attribute — which causes browsers to ignore cookies sent in cross-origin fetch/XHR/axios, etc., requests.
- https://www.chromestatus.com/feature/5088147346030592
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#cookies_without_samesite_default_to_samesitelax
Recent versions of modern browsers provide a more secure default for
SameSiteto your cookies and so the following message might appear in your console:Cookie “myCookie” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute.
