Same Site Cookies
SameSiteattribute of the
Set-CookieHTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.
- A cookie is associated with a domain. If this domain is the same as the domain of the page you are on, the cookie is called a first-party cookie. If the domain is different, it is a third-party cookie.
- the server hosting a web page sets first-party cookies, the page may contain images or other components stored on servers in other domains (for example, ad banners), which may set third-party cookies
- These are mainly used for advertising and tracking across the web.
Same Site Cookie Values
Set-Cookie: flavor=choco; SameSite=None;
Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e. when following a link).
Set-Cookie: flavor=choco; SameSite=Lax;
Set-Cookie: flavor=choco; SameSite=Strict; Secure Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
Default If not specified
SameSite=Lax is the default cookie value if
SameSite has not been explicitly specified in recent browser versions