This is a companion repo for the "SameSite cookies explained" article on web.dev. This is your starting point for how cookies work, the functionality of the SameSite attribute, and the changes in Chrome to apply a SameSite=Lax policy by default while requiring the use of SameSite=None; Secure for cookies in a third-party context.

This functionality is available now in Chrome 76 behind the associated flags to let you test the effect on your site. This is intended to become default behaviour as of Chrome 80.

• Flag: chrome://flags/#same-site-by-default-cookies
• Chrome Status entry: Cookies with SameSite by default

Turn this flag on to have Chrome apply the equivalent of SameSite=Lax to cookies without a SameSite attribute specified.

• Flag: chrome://flags/#cookies-without-same-site-must-be-secure
• Chrome Status entry: Reject insecure SameSite=None cookies

Turn on this flag along with the previous flag to have Chrome enforce the need for any SameSite=None cookie to also specify the Secure attribute.

• Flag chrome://flags/#cookie-deprecation-messages

This will add console warning messages for every single cookie potentially affected by this change.

⚠️ WARNING: You will see a lot of messages! Seriously, a lot of messages.

Since the vast majority of cookies do not have any SameSite attribute set that means they are all sent in a cross-site context, regardless of whether or not the intent is to use them.

As you add the correct SameSite and Secure values to your cookies, you will be able to use the console warnings to test for any you have missed. Try this without the previous flags enabled.

In this repo you'll find examples on making use of SameSite=None; Secure in a variety of languages, libraries, and frameworks. The SameSite attribute is widely supported, but the addition of the explicit None value may require updates or work-arounds.

🚧 NOTE: To test the None value is set you need to test in a browser that parses this addition, e.g. Chrome 76 or above. The changes should be backwards compatible, but those browsers should ignore the None value so you will not see it in any cookie view.

If your specific platform isn't covered here, please raise an issue or a pull request to include it.

• JavaScript
• JavaScript - Node.js
• PHP
• Python
• Python - Flask

You can raise an issue in this repo if there is specific behaviour you would like to see documented or something that's not clear in the current examples.

You can also use the samesite tag on StackOverflow which we will monitor on a regular basis. As the discussion evolves there, we'll also add a Frequently Asked Questions section to this repo for easy reference.

Issues and pull requests are always welcome. For details, see CONTRIBUTING

This is not an officially supported Google product.