Nice article! For the benefit of anyone reading who didn't take your advice and fully understand the issues first ;) Please, please, please remember you ONLY need SameSite=None; Secure for cookies that are sent in cross-site / third-party contexts. So, that means these embedded apps or services. Cookies for first-party use, i.e. the domain in the browser matches the domain of the cookie, then consider SameSite=Lax or SameSite=Strict instead. Do not just blindly add SameSite=None; Secure to every single cookie.
So for the Laravel session and XSRF Token cookies we should use SameSite="Strict at config/session.php? How would we implement this and only have this apply for these two cookies I am now getting warnings for?
cookie `host-name_staging_session` will be soon rejected because it has
the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read
https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite 1748
Nice article! For the benefit of anyone reading who didn't take your advice and fully understand the issues first ;) Please, please, please remember you ONLY need
SameSite=None; Secure
for cookies that are sent in cross-site / third-party contexts. So, that means these embedded apps or services. Cookies for first-party use, i.e. the domain in the browser matches the domain of the cookie, then considerSameSite=Lax
orSameSite=Strict
instead. Do not just blindly addSameSite=None; Secure
to every single cookie.So for the Laravel session and XSRF Token cookies we should use
SameSite="Strict
atconfig/session.php
? How would we implement this and only have this apply for these two cookies I am now getting warnings for?I'd suggest
Lax
for your session cookie, notStrict
.