Can anyone tell me what is the difference between SameSite="Lax" and SameSite="Strict" by a nice example as I am a bit confused between these two?
Overview. SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are none , lax , or strict .
The “Lax” value in SameSite is a more relaxed form of cross-site request protection. With this setting, your web browser will allow most cross-domain cookie-sharing so long as these originate from a top-level GET request.
Cookies set with SameSite=Strict restricts cross-site sharing entirely, even between different domains owned by the same publisher. Chrome has a setting under "chrome://flags" that checks the SameSite attribute on the site's cookies: #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure.
Lax. Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).
Lax allows the cookie to be sent on some cross-site requests, whereas Strict never allows the cookie to be sent on a cross-site request.
The situations in which Lax cookies can be sent cross-site must satisfy both of the following:
For example:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With