Skip to content

Bit #44

When working with session cookie, it’s important to be aware that using SameSite=Strict will block the session cookie being sent by the user’s browser for all cross-site usage — including safe requests with HTTP methods like GET and HEAD.

While that might be the safest setting, the downside is that the session cookie won’t be sent when a user clicks on a link to your application from another website. Your application will initially treat the user as ‘not logged in’ even if they have an active session.

So if your application will potentially have other websites linking to it (or even links shared in emails or private messaging services), then SameSite=Lax is generally the more appropriate setting.