You may run into the SameSite attribute warning in Google Chrome developer tools when accessing some websites. This is an important warning that the web browsers are rejecting these cookies.
You can tell if you are affected if you head on over to the web browser developer tools and see such a message.
A cookie associated with a cross-site resource at http://wp.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies …
This issue can be of some concern to developers who do not understand what is going on. Again this warning may show up several times per page especially when using CMS’s like WordPress loaded with plugins that compound the issue.
The SameSite attribute tells web browsers whether or not to allow cookies in first or third-party situations. As of February 4th, 2020, Google Chrome 80 browser enforces first-party default on all cookies that don’t have the attribute set.
What are the values for the SameSite attribute?
Values for the SameSite attribute include:
- ‘lax’ (SameSite=Lax) which enables only first-party cookies to be accepted. The domain in URL bar must equal the cookie’s domain (first-party) and the link should not come from a third-party site
- ‘strict’ (SameSite=Strict) The domain in URL bar must equal the cookie’s domain
- ‘none’ (SameSite=None) tells the browser that the cookie data can be shared with third-party sites for valid reasons such as advertising, embedded content, or other forms of tracking
Google Chrome 80 and above changed the default value from ‘none’ to ‘lax’. It is also important to note that SameSite=None cookies must also be marked as Secure otherwise they will be rejected.
How do I prepare for this?
If you need greater security such as for financial institutions, medical institutions, etc, you may need to update your attributes to ‘
SameSite=Lax‘ or ‘
SameSite=Strict‘. Note that Chrom 80 default is ‘
For the rest of the developers and publishers you need to update your SameSite attribute to ‘SameSite=None; Secure’ to ensure Chrome doesn’t reject your cookies. The consequences can be a decline in Ad revenue, unpredictable retargeting, conversion tracking, and/or analytics.
How to set the SameSite attribute
If you have PHP until 7.2
setcookie('key', 'value', time()+(7243600), "/; SameSite=None; Secure");
header('Set-Cookie: cross-site-cookie=name; SameSite=None; Secure');
Or if you are using PHP 7.3 or higher, you can use:
setcookie('key', 'value', ['SameSite' => 'None', 'Secure' => true]);
echo "<script>document.cookie('key=value; SameSite=None; Secure');</script>";
This can also be done using your web server for those who have access to it. You need to enabled mod_headers. For this example using Ubuntu 18.04 / Apache 2.4.29 you can do it like so:
Add the following directive to the Apache VirtualHost configurations:
Header edit Set-Cookie ^(.*)$ "$1; Secure; SameSite=None"
systemctl restart apache2
The apache option is suitable for most virtual hosts and for those using platforms such as WordPress where you may not want to tinker with the core code. You can find out more here.