The Problem

When working with an API recently, my team and I encountered an issue where an auth cookie was not being sent when the page loaded through an external link, such as from an email. Strangely, the cookie was sent when I opened the page in a new tab, which is what I’d expect to always happen.

The Solution

Fortunately, we found a simple fix to resolve this problem. By changing the SameSite attribute to Lax, the issue was resolved.

1
2

- Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Strict; HttpOnly; Secure
+ Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Lax; HttpOnly; Secure

Previously, the SameSite attribute was set to Strict, which restricted the cookie to be sent only from the site that created it. However, by setting it to Lax, the cookie can now be sent when the site is accessed through an external link.

I’ve done my best to visualise the behaviour of the three values you can set for the attribute below. By default, Lax is set which should be appropriate for common use cases.

Want to Learn More?

Although I planned to provide additional information on this topic, I came across two excellent resources that explain it better than I could:

• SameSite Cookies Explained: This article, written by the Chrome team, provides a comprehensive explanation of the SameSite attribute’s behaviour and use cases. I found it to be the most informative resource on the topic.

• Set-Cookie - HTTP | MDN: The Mozilla Developer Network (MDN) provides detailed reference documentation on all attributes of a cookie. Exploring this resource can help you gain a deeper understanding of other cookie attributes.

Best of luck solving your own future cookie problems!