Skip to main content
Mohammad Shehadeh — home (MSH monogram, letter M filled with the Palestinian flag)

Understanding SameSite Cookies

Published on
3 min read

A cookie is a chunk of data stored in the browser. It holds state and other information a website needs later.

SameSite cookies protect your data as you browse the web. They control how the information in your cookies can be used across different websites. Without that control, you're open to security vulnerabilities like cross-site request forgery (CSRF) attacks or cross-site scripting (XSS) attacks.

The difference between a site and an origin

Two URLs have the same origin if they share the exact scheme, domain name, and port.

the difference between a site and an origin

The term site is much broader: it accounts only for the scheme and the last part of the domain name. So a cross-origin request can be same-site, but not the other way around.

Public Suffix List

The public suffix list defines what pages count as the same site. It goes beyond top-level domains, so services like github.io make x.github.io and y.github.io count as separate sites.

What Are SameSite Cookies?

The SameSite attribute tells your browser when it's okay to share your cookie data with other websites. It has three values:

  • Strict: cookies with the SameSite attribute set to Strict will not be sent in cross-origin requests.

    • if a page on your site loads an image from a different domain, the cookie won't be sent with that request because it's cross-origin. This prevents potential security vulnerabilities.

  • Lax: cookies with the SameSite attribute set to Lax will be sent with cross-origin GET requests.

    • when you click a link on your page to a cross-origin page, the browser sends the cookie with the request because it's a cross-origin GET request.
1<p>Look at this amazing cat!</p>
2<img src="https://i.ibb.co/rmcKqBB/amazing-cat.jpg" />
3<p>See the <a href="https://ibb.co/R9BGtXX">Amazing Cat</a>.</p>

  • None: This setting gives your cookies a passport to travel anywhere. They follow you to other websites, which can raise security concerns.

    • When you interact with the page, like submitting a form, the browser sends the cookie with the request no matter the origin.
Watch out

Browsers are restricting third-party cookies. If you've set SameSite=None on your cookies, you'll need to take extra action. Learn how to prepare for third-party cookie restrictions.

Quick Recap

  1. Site vs Origin

    • Origin includes scheme, domain, and port
    • Site only considers scheme and domain
    • Cross-origin requests can be same-site
    • Public suffix list defines site boundaries

  2. SameSite Cookie Types

    • Strict: Most secure, no cross-origin requests
    • Lax: Allows cross-origin GET requests
    • None: Allows all cross-origin requests (requires Secure flag)

  3. Security Considerations

    • Third-party cookie restrictions are increasing
    • Need to prepare for cookie deprecation
    • Consider alternative authentication methods
    • Implement proper security headers

References

Related Articles

March 14, 20263 min
General
CSRF Attacks: How Hackers Can Hijack Your Users Accounts
Learn how CSRF attacks work and discover proven defense strategies including tokens, SameSite cookies, and request validation to protect your application.
March 14, 20264 min
General
XSS Attacks: How Malicious Code Hijacks Web Applications
Learn how XSS attacks inject malicious scripts and discover proven defenses including input validation, output encoding, and Content Security Policy.
April 8, 20245 min
General
How to Improve Web Accessibility
Complete guide to web accessibility best practices. Learn semantic HTML, ARIA roles, heading hierarchy, accessible forms, and inclusive design techniques to create websites usable by everyone.
GET IN TOUCH

Let's work together

I build fast, accessible, and delightful digital experiences for the web. Whether you have a project in mind or just want to connect, I'd love to hear from you.

Get in touch

or reach out directly at hello@mohammadshehadeh.com