Skip to content

Same Site Cookies

  • The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.
  • A cookie is associated with a domain. If this domain is the same as the domain of the page you are on, the cookie is called a first-party cookie. If the domain is different, it is a third-party cookie.
  • the server hosting a web page sets first-party cookies, the page may contain images or other components stored on servers in other domains (for example, ad banners), which may set third-party cookies
  • These are mainly used for advertising and tracking across the web.

Set-Cookie: flavor=choco; SameSite=None;


Cookies are not sent on normalย cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin siteย (i.e. when following a link). Set-Cookie: flavor=choco; SameSite=Lax;


Set-Cookie: flavor=choco; SameSite=Strict; Secure Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.

Default If not specified

The SameSite=Lax is the default cookie value if SameSite has not been explicitly specified in recent browser versions

Pasted image 20210430045738.png

Bypassing SameSite cookie restrictions | Web Security Academy (