Prerequisite
Read this extensive tutorial from Shopify to get more understanding about the SameSite cookie attribute.
Working with Same...
For further actions, you may consider blocking this person and/or reporting abuse
Nice article! For the benefit of anyone reading who didn't take your advice and fully understand the issues first ;) Please, please, please remember you ONLY need
SameSite=None; Secure
for cookies that are sent in cross-site / third-party contexts. So, that means these embedded apps or services. Cookies for first-party use, i.e. the domain in the browser matches the domain of the cookie, then considerSameSite=Lax
orSameSite=Strict
instead. Do not just blindly addSameSite=None; Secure
to every single cookie.So for the Laravel session and XSRF Token cookies we should use
SameSite="Strict
atconfig/session.php
? How would we implement this and only have this apply for these two cookies I am now getting warnings for?I'd suggest
Lax
for your session cookie, notStrict
.Very timely post :) Just wanted to note some of my findings.
Chrome 80, as it's being updated across our computers, likely does not break your site/app.
Due to the safari bug, they put in an exception
(link: chromestatus.com/feature/508814734...)
However, Safari seems to have been broken for a while now, so a fix should be implemented quickly.
(link: bugs.webkit.org/show_bug.cgi?id=19...)
Their solution uses an Apache regex to solve the problem, but the solution is not up to date with latest Safari.
On a side note, if you've using an SPA and JWTs (no cookies) this is a non-issue.
That exception is temporary and will go away at some point. The specific situation that covers is for top-level, cross-site POST requests that require cookies. These should be set with
SameSite=None; Secure
as a permanent fix, not rely on the exception. This was added to account for a number of individual single sign-on implementations using this pattern to receive a CSRF token in their cookie - it is not related to the Safari issue.The Safari issue is due to their implementation matching a much earlier version of the draft. As a result, if you need the cookie to work in all browsers you can use the double cookie solution proposed in web.dev/samesite-cookie-recipes/#h...
Thank you Rowan for your input on this issue 🙏🏼
Hi Daniel, thank you for sharing your findings.
SameSite flag is not being enforced even in Chrome 80 until 17th February, 2020. ( I am not sure about the date ) as a relaxation.
If you want to test, go to
chrome://flags
and enable all three SameSite flags. You will see the errors mentioned in Shopify's tutorial.All we can do, is to be prepared, right? ;)
And yeah, you are right about SPA. 👍
Let me know your thoughts! Thanks.
Why is it necessary to check the browser and only set the SameSite/Secure attributes for compatible clients? Would something bad happen if you just set it in your config/session.php and used it for all users? Any clients that do not recognize SameSite=None should ignore it and carry on as if the attribute was not set.
This tutorial was super helpful and it is straight and to the point. Thanks, Mohsin for sharing this.
One more thing I discovered. We can't set SameSite = None in laravel 5.6 or lower version. SameSite = Lax works in laravel 5.6 But we can set SameSite = NONE in 5.8 or above.
Thank you for making this and helping the community.