Overview
The SameSite cookie attribute, introduced in Google Chrome 51 (2016) and subsequently standardised in RFC 6265bis, instructs browsers whether to include a cookie when a request originates from a different site. When this attribute is not explicitly set—or is set to SameSite=None without a justified reason—the browser may attach the cookie to cross-origin requests initiated by third-party pages. This behaviour is the primary prerequisite for Cross-Site Request Forgery (CSRF) attacks and also contributes to cross-site information leakage.
Prior to 2020, the implicit browser default was to send cookies with all requests regardless of origin (equivalent to SameSite=None). Modern browsers (Chrome 80+, Firefox, Safari) now default to SameSite=Lax when the attribute is absent, partially mitigating the risk — but this browser-level default is not a substitute for explicit server-side configuration, as older browsers and non-standard user agents do not apply this heuristic.
How it works
The SameSite attribute accepts three values, each defining a different enforcement level:
- Strict: The cookie is only sent when the request originates from the same site as the cookie's domain. No cross-site sending occurs under any circumstances.
- Lax: The cookie is sent with same-site requests and with top-level navigations (e.g., clicking a link) that use safe HTTP methods (GET, HEAD). It is not sent with cross-site sub-resource requests (images, iframes, AJAX/fetch).
- None: The cookie is sent with all requests, regardless of origin. Requires the
Secureattribute to be set simultaneously; without it, modern browsers reject the cookie entirely.
When the attribute is missing and the browser falls back to Lax, state-changing GET endpoints remain exposed. When the browser is older or non-compliant and falls back to None-equivalent behaviour, all state-changing endpoints are exposed. An attacker can exploit this by embedding a forged request (form auto-submit, image tag, fetch call) in a page they control:
- Victim is authenticated on
bank.example.com; a session cookie withoutSameSiteis stored. - Victim visits attacker-controlled
evil.example.com. - The malicious page silently issues a POST request to
bank.example.com/transfer. - The browser attaches the session cookie automatically, and the server processes the request as legitimate.
Beyond CSRF, missing SameSite also enables cross-site search attacks and timing side-channels where an attacker infers authentication state from cookie presence.
Business impact
A successful CSRF exploit enabled by a missing SameSite attribute allows an attacker to perform any action the victim can perform while authenticated — including changing account credentials or email addresses, initiating financial transfers, modifying configuration, or deleting data. The attacker requires no knowledge of the victim's credentials; only the victim's active session is needed.
Compliance implications include violations of OWASP ASVS (Level 1, requirement 3.4.3), PCI DSS requirements for session management, and GDPR obligations to protect personal data through appropriate technical measures. Organisations in regulated industries may face fines, audit findings, or contractual penalties following a breach attributable to this misconfiguration.
How to fix it
- Set
SameSite=Laxas the baseline for all session and authentication cookies. This is the recommended default for most applications and prevents cookie transmission on cross-site sub-resource requests while preserving functionality for top-level navigations. - Use
SameSite=Strictfor highly sensitive cookies (e.g., administrative sessions, payment flows) where breaking cross-site navigation links is acceptable. - Avoid
SameSite=Noneunless the cookie is explicitly required in a cross-site context (e.g., embedded widgets, OAuth flows). IfNoneis necessary, always combine it withSecureand add additional CSRF defences such as the Synchronizer Token Pattern or the Double Submit Cookie pattern. - Set the attribute server-side on every
Set-Cookieresponse header, not relying on browser defaults. Example:Set-Cookie: sessionid=abc123; Path=/; HttpOnly; Secure; SameSite=Lax - Audit all cookies issued by first-party code and third-party libraries/frameworks. Many web frameworks offer global cookie configuration (e.g.,
SESSION_COOKIE_SAMESITEin Django,cookie.sameSitein Express-session,session.cookie.samesitein Spring Boot). - Do not rely solely on browser defaults as a mitigation — older browsers, embedded WebViews, and non-standard clients may not apply the
Laxdefault behaviour. - Layer defences: Complement
SameSitewith CSRF tokens for all state-changing requests, theOrigin/Refererheader validation, and theHttpOnlyandSecureflags on the same cookies.
References
- OWASP – SameSite
- OWASP – Cross-Site Request Forgery (CSRF)
- OWASP CSRF Prevention Cheat Sheet
- OWASP Session Management Cheat Sheet
- MITRE CWE-1275 – Sensitive Cookie with Improper SameSite Attribute
- MDN Web Docs – Set-Cookie: SameSite
- IETF RFC 6265bis – Cookies: HTTP State Management Mechanism (draft)
- web.dev – SameSite cookies explained