The Cross Site Cookie Problem
Browsers attach cookies to requests for a site automatically, even when the request is triggered from another site. That is the root of cross site request forgery: a malicious page makes your browser send an authenticated request to a site where you are logged in.
What SameSite Does
The SameSite cookie attribute tells the browser when to send a cookie on cross site requests.
- Strict sends the cookie only for same site requests, blocking it on any cross site navigation.
- Lax sends it on top level navigations like clicking a link, but not on cross site subrequests such as form posts or images.
- None sends it on all requests but must be paired with the Secure flag.
Defensive Use
- Set session cookies to Lax or Strict to blunt most CSRF.
- Use None with Secure only for cookies genuinely needed across sites.
- Remember SameSite is a strong layer but pair it with anti CSRF tokens for sensitive actions.
Key idea
SameSite controls whether cookies ride along on cross site requests, and setting sessions to Lax or Strict removes a large share of CSRF risk.