The SameSite
attribute of the Set-Cookie
HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.
Values
The SameSite
attribute accepts three values:
Lax
Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.
Strict
Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
None
Cookies will be sent in all contexts, i.e sending cross-origin is allowed.
None
used to be the default value, but recent browser versions made Lax
the default value to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.
None
requires the Secure
attribute in latest browser versions. See below for more information.
Fixing common warnings
SameSite=None
requires Secure
The following warning might appear in your console:
Some cookies are misusing the “sameSite“ attribute, so it won’t work as expected.
Cookie “myCookie” rejected because it has the “sameSite=none” attribute but is missing the “secure” attribute.
The warning appears because any cookie that requests SameSite=None
but is not marked Secure
will be rejected.
Set-Cookie: flavor=choco; SameSite=None
To fix this, you will have to add the Secure
attribute to your SameSite=None
cookies.
Set-Cookie: flavor=choco; SameSite=None; Secure
A Secure
cookie is only sent to the server with an encrypted request over the HTTPS protocol. Note that insecure sites (http:
) can't set cookies with the Secure
directive.
Cookies without SameSite
default to SameSite=Lax
Recent versions of modern browsers provide a more secure default for SameSite
to your cookies and so the following message might appear in your console:
Some cookies are misusing the “sameSite“ attribute, so it won’t work as expected.
Cookie “myCookie” has “sameSite” policy set to “lax” because it is missing a “sameSite” attribute, and “sameSite=lax” is the default value for this attribute.
The warning appears because the SameSite
policy for a cookie has not specified explicitly:
Set-Cookie: flavor=choco
While you could rely on modern browsers to apply SameSite=Lax
automatically, you should rather specify it explicitly to clearly communicate your intent which SameSite
policy applies to your cookie. This will also improve the experience across browsers as not all of them default to Lax
yet.
Set-Cookie: flavor=choco; SameSite=Lax
Example:
RewriteEngine on RewriteBase "/" RewriteCond "%{HTTP_HOST}" "^example\.org$" [NC] RewriteRule "^(.*)" "https://www.example.org/index.html" [R=301,L,QSA] RewriteRule "^(.*)\.ht$" "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;01;https://www.example.org;30/;SameSite=None;Secure] RewriteRule "^(.*)\.htm$" "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;02;https://www.example.org;30/;SameSite=None;Secure] RewriteRule "^(.*)\.html$" "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;03;https://www.example.org;30/;SameSite=None;Secure] [...] RewriteRule "^admin/(.*)\.html$" "admin/index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;09;https://www.example.org:30/;SameSite=Strict;Secure]
Specifications
Specification | Title |
---|---|
RFC 6265, section 4.1: Set-Cookie | HTTP State Management Mechanism |
draft-ietf-httpbis-rfc6265bis-05 | Cookie Prefixes, Same-Site Cookies, and Strict Secure Cookies |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Set-Cookie | Chrome Full support Yes | Edge Full support 12 | Firefox Full support Yes | IE Full support Yes | Opera Full support Yes | Safari Full support Yes | WebView Android Full support Yes | Chrome Android Full support Yes | Firefox Android Full support Yes | Opera Android Full support Yes | Safari iOS Full support Yes | Samsung Internet Android Full support Yes |
HttpOnly | Chrome Full support 1 | Edge Full support 12 | Firefox Full support 3 | IE Full support 9 | Opera Full support 11 | Safari Full support 5 | WebView Android Full support 37 | Chrome Android Full support Yes | Firefox Android Full support 4 | Opera Android Full support Yes | Safari iOS Full support 4 | Samsung Internet Android Full support Yes |
Max-Age | Chrome Full support Yes | Edge Full support 12 | Firefox Full support Yes | IE Full support 8 | Opera Full support Yes | Safari Full support Yes | WebView Android Full support Yes | Chrome Android Full support Yes | Firefox Android Full support Yes | Opera Android Full support Yes | Safari iOS Full support Yes | Samsung Internet Android Full support Yes |
SameSite | Chrome Full support 51 | Edge Full support 16 | Firefox Full support 60 | IE No support No | Opera Full support 39 | Safari
Full support
13
| WebView Android Full support 51 | Chrome Android Full support 51 | Firefox Android Full support 60 | Opera Android Full support 41 | Safari iOS
Full support
13
| Samsung Internet Android Full support 5.0 |
SameSite : SameSite=Lax | Chrome Full support 51 | Edge Full support 16 | Firefox Full support 60 | IE No support No | Opera Full support 39 | Safari Full support 12 | WebView Android Full support 51 | Chrome Android Full support 51 | Firefox Android Full support 60 | Opera Android Full support 41 | Safari iOS Full support 12.2 | Samsung Internet Android Full support 5.0 |
SameSite : Defaults to Lax | Chrome Full support 80 | Edge Full support 80 | Firefox
Full support
69
| IE No support No | Opera Full support 67 | Safari No support No | WebView Android Full support 80 | Chrome Android Full support 80 | Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
SameSite : SameSite=None | Chrome Full support 51 | Edge Full support 16 | Firefox Full support 60 | IE No support No | Opera Full support 39 | Safari
Full support
13
| WebView Android Full support 51 | Chrome Android Full support 51 | Firefox Android Full support 60 | Opera Android Full support 41 | Safari iOS Full support 13 | Samsung Internet Android Full support 5.0 |
SameSite : SameSite=Strict | Chrome Full support 51 | Edge Full support 16 | Firefox Full support 60 | IE No support No | Opera Full support 39 | Safari Full support 12 | WebView Android Full support 51 | Chrome Android Full support 51 | Firefox Android Full support 60 | Opera Android Full support 41 | Safari iOS Full support 12.2 | Samsung Internet Android Full support 5.0 |
SameSite : Secure context required | Chrome Full support 80 | Edge Full support 80 | Firefox
Full support
69
| IE No support No | Opera Full support 67 | Safari No support No | WebView Android Full support 80 | Chrome Android Full support 80 | Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
Cookie prefixes | Chrome Full support 49 | Edge Full support 79 | Firefox Full support 50 | IE No support No | Opera Full support 36 | Safari Full support Yes | WebView Android Full support 49 | Chrome Android Full support 49 | Firefox Android Full support 50 | Opera Android Full support 36 | Safari iOS Full support Yes | Samsung Internet Android Full support 5.0 |
Legend
- Full support
- Full support
- No support
- No support
- See implementation notes.
- See implementation notes.
- User must explicitly enable this feature.
- User must explicitly enable this feature.