Hi @Marc Davis,
Is seems a bit confusing and hope somebody can help bring some sense to it.
You can read this blog which explains in detail the pros and cons of several properties of SameSite.
SameSite=Lax
is the default mode used when you don't explicitly specify a SameSite
mode. From the MDN documentation:
Means that the cookie is not sent on cross-site requests, such as on requests to load images or frames, but is sent when a user is navigating to the origin site from an external site (for example, when following a link). This is the default behavior if the SameSite
attribute is not specified.
SameSite=None
means that the browser sends the cookie with both cross-site and same-site requests. The Secure
attribute must also be set when setting this value, like so SameSite=None; Secure
.
The one advantage of SameSite=None
is that cookies are always sent, so if you need a cookie to be sent cross site, it's your only choice, Strict
and Lax
won't work.
The disadvantage of None
cookies is that they do nothing to protect your from CSRF attacks, disabling the protections that Strict
or Lax
cookies would provide. For this reason, you generally shouldn't use SameSite=None
by default. Only use it where it's strictly required.
Defense against CSRF Principles
Best regards,
Lan Huang
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.