Examples of using the SameSite cookie attribute in a variety of language, libraries, and frameworks.
This is a companion repo for the "cookies explained" article on web.dev. This is your starting point for how cookies work, the functionality of the
SameSiteattribute, and the changes in Chrome to apply a
SameSite=Laxpolicy by default while requiring the use of
SameSite=None; Securefor cookies in a third-party context.
This functionality is available now in Chrome 76 behind the associated flags to let you test the effect on your site. This is intended to become default behaviour as of Chrome 80.
Turn this flag on to have Chrome apply the equivalent of
SameSite=Laxto cookies without a
Turn on this flag along with the previous flag to have Chrome enforce the need for any
SameSite=Nonecookie to also specify the
This will add console warning messages for every single cookie potentially affected by this change.
⚠️ WARNING: You will see a lot of messages! Seriously, a lot of messages.
Since the vast majority of cookies do not have any
SameSiteattribute set that means they are all sent in a cross-site context, regardless of whether or not the intent is to use them.
As you add the correct
Securevalues to your cookies, you will be able to use the console warnings to test for any you have missed. Try this without the previous flags enabled.
In this repo you'll find examples on making use of
SameSite=None; Securein a variety of languages, libraries, and frameworks. The
SameSiteattribute is widely supported, but the addition of the explicit
Nonevalue may require updates or work-arounds.
🚧 NOTE: To test the
Nonevalue is set you need to test in a browser that parses this addition, e.g. Chrome 76 or above. The changes should be backwards compatible, but those browsers should ignore the
Nonevalue so you will not see it in any cookie view.
If your specific platform isn't covered here, please raise an issue or a pull request to include it.
You can raise an issue in this repo if there is specific behaviour you would like to see documented or something that's not clear in the current examples.tag on StackOverflow which we will monitor on a regular basis. As the discussion evolves there, we'll also add a Frequently Asked Questions section to this repo for easy reference.
Issues and pull requests are always welcome. For details, see CONTRIBUTING
This is not an officially supported Google product.