Gertjan Franken
Gertjan Franken

Reputation: 676

Why does Google Chrome not recognize my SameSite cookie?

I'm trying to explore how Google Chrome handles SameSite cookies. So by using the console (ctrl+Shift+J), I added an aditional key-value pair for the cookie of a certain website I have an account on. I inputted the following code:

document.cookie="SameSite=strict"

I checked the remaining cookie and all original key-value pairs are still there, along with the newly added "SameSite=strict" pair.

Now, the problem is that Chrome doesn't act like it is supposed to according to the specification of the SameSite cookie. For example: when I go to wikipedia.org and click on a link that directs me to the website of the cookie, I'm logged in. Normally I would not be logged in, because Chrome isn't supposed to send along the cookie due to the "SameSite=strict" pair.

Am I overlooking something?

Upvotes: 2

Views: 1722

Answers (1)

Gabor Lengyel
Gabor Lengyel

Reputation: 15599

SameSite is not a cookie value. It's a cookie flag, like httpOnly and secure. So you cannot set it like document.cookie="SameSite=strict", because that sets a value.

Try with

document.cookie="mycookie=myvalue;SameSite=strict"

You can then observe in Chrome DevTools on the Application tab under Cookies that your cookie is in fact set as SameSite=strict, as opposed to just a plain cookie.

Upvotes: 5

Related Questions