The three flags that matter
Cookies carry session identity, so their attributes decide how exposed that identity is. Three flags do most of the protection work.
- HttpOnly hides the cookie from JavaScript, blocking theft through script.
- Secure sends the cookie only over encrypted connections.
- SameSite controls whether the cookie rides along on cross site requests.
How SameSite changes behavior
SameSite has three values that trade safety against convenience. Strict never sends the cookie on cross site navigation, Lax sends it on top level navigations only, and None sends it everywhere but then requires Secure.
- Strict gives the strongest cross site request forgery defense.
- Lax is a sensible default for most session cookies.
- None suits third party cookies but demands Secure.
Set these flags on the server through the Set Cookie header. Combining HttpOnly, Secure, and a sane SameSite value greatly shrinks the attack surface for session hijacking and request forgery.
Key idea
HttpOnly hides cookies from scripts, Secure forces encryption, and SameSite limits cross site sending to defend sessions.