In this post, I will explain to you how we can fix a new SameSite cookie issue that occurs when you update your chrome. SameSite was introduced to control which cookie can be sent together with cross-domain requests. Until now, browsers allow any cookie that doesn’t have this attribute set to be forwarded with the cross-domain requests as default. This issue SameSite affects your app which uses third-party cookies in chrome browser.
You can read updates related to release from here https://www.chromium.org/updates/same-site
What is SameSite cookie?
Last year in May 2019, Chrome announced its plan to develop a secure model for handling cookies. Chrome promise to provide a more secure and fast browsing experience to its users. Chrome tries to increase more transparency and control to its users. Users should be aware of how they are tracked and who is tracking them. Today users are more concerned about their privacy and increase in potential cross-site attacks chrome is taking action to protect its users.
Due to these changes in chrome advertisers, publishers, and a company that relies on cookies are the most impact. If you are using cookies and get SameSite cookie warning you start to prepare to update your app so your users won’t get any bad experience.
On Feb 4, 2020, Google Chrome will stop sending third-party cookies in cross-site requests unless the cookies are secured and flagged using an IETF standard called SameSite
.
What’s cross-site request forgery (CSRF)?
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to exploit users through session surfing or one-click attacks. For example, a hacker can trick the user to click a specific button, when the user clicks on that button and If this user is already logged into a website the hacker wants to access, the hacker can surf on the already authenticated session and request a site the user didn’t intend to make. The site can not identify hackers because the user is already authenticated.
With the SameSite attribute, the developer has the power to set rules around how cookies are shared and accessed.
You can set the following value to this SameSite attribute value: Strict
, Lax
, or None
.
VALUE | DESCRIPTION |
---|---|
Strict | Cookies with this setting can be accessed only when visiting the domain from which it was initially set. In other words, Strict completely blocks a cookie being sent to a.com when it is being sent from a page on b.com (i.e. b.com is in the URL bar). Even when clicking a top-level link on a third-party domain to your site, the browser will refuse to send the cookie. This option would be best for applications that require high security, such as banks. |
Lax | Unlike None where cookies are always sent, Lax cookies are only sent on same-site request like Strict . However, Lax allows top-level navigation access with a safe HTTP method, like HTTP GET . The cookie will not be sent with cross-domain POST requests or when loading the site in a cross-origin frame, but it will be sent when you navigate to the site via a standard top-level <a href=...> link. |
None | Cookies with this setting will work the same way as cookies work today. Cookies will be able to be used across sites. ?Note that you need both the None and Secure attributes together. If you just specify without the cookie will be rejected. Secure ensures that the browser request is sent by a secure (HTTPS) connection. |
Fix SameSite cookie using PHP
You can fix the SameSite cookie error in PHP using the header function. Note you need the install or upgrade to the latest version of PHP to set the SameSite=None
cookie option. You can set a cookie in your header after your session is started as shown in the below code.
<?php session_start(); header('Set-Cookie: ' . session_name() . '=' . session_id() . '; SameSite=None; Secure');
With the help of the above code can fix this issue.
Fix SameSite cookie in Chrome
You can enable or disable this function from your chrome browser setting. You can follow the below steps to enable disable SameSite cookie in chrome.
- Open the Chrome browser
- Enter
chrome://flags/
in your address bar, it will open settings. - Search for “SameSite by default cookies” and choose to “Enable“
- Search for “Cookies without SameSite must be secure” and choose to “Enable“
- Restart Chrome
Fix SameSite cookie using NGINX
You can set SameSite
flag in your NGINX configuration under a location section. For adding the flag in Nginx the best way currently is to use proxy_cookie_path directive in Nginx configuration.
server { # Your other server directives... location / { proxy_cookie_path / "/; secure; HttpOnly; SameSite=None"; } }
These kinds of configurations can be done in most reverse proxies and load balancers.
Remember to consider that not all browser versions support SameSite value None and additional checks for user agents are needed.
If this post helps you to fix the SameSite issue then please don’t forget to like our Facebook page and also subscribe to our youtube channel link is given at top of post thankyou.