Same site cookies
sameSite
cookie flag.#
About the To ensure session cookies are protected from CSRF attacks the sameSite
cookie attribute is set.
The sameSite
cookie attribute is used to declare if your cookies should be restricted to a first-party or same-site context.
The sameSite
attribute can be set to three possible values:
none
- Cookies will be sent in all contexts, i.e cookies will be attached to both first-party and cross-origin requests.
- On Safari however, if third party cookies are blocked (which is the default behaviour), and the website and api domains do not share the same top level domain, then cookies won't go. Please see this GitHub issue to know about workarounds - one of the workarounds is also described here.
lax
- Cookies will only be sent in a first-party context and along with
GET
requests initiated by third party websites (that result in browser navigation - user clicking on a link).
- Cookies will only be sent in a first-party context and along with
strict
- Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
sameSite
value#
Manually set caution
- SuperTokens will automatically set the value of the
sameSite
cookie attribute based on your website and api domain configration. - Please only change this setting if you are a web security expert. If you are unsure, please feel free to ask questions to us.
- NodeJS
- GoLang
- Python
import SuperTokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
SuperTokens.init({
supertokens: {
connectionURI: "...",
},
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "..."
},
recipeList: [
Session.init({
cookieSameSite: "strict", // Should be one of "strict" or "lax" or "none"
}),
],
});
import (
"github.com/supertokens/supertokens-golang/recipe/session"
"github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
"github.com/supertokens/supertokens-golang/supertokens"
)
func main() {
// Should be one of "strict" or "lax" or "none"
cookieSameSite := "lax"
supertokens.Init(supertokens.TypeInput{
RecipeList: []supertokens.Recipe{
session.Init(&sessmodels.TypeInput{
CookieSameSite: &cookieSameSite,
}),
},
})
}
from supertokens_python import init, InputAppInfo
from supertokens_python.recipe import session
init(
app_info=InputAppInfo(api_domain="...", app_name="...", website_domain="..."),
framework='...',
recipe_list=[
session.init(
cookie_same_site='lax' # Should be one of 'strict' or 'lax' or 'none'
)
]
)