Reputation: 676
Why does Google Chrome not recognize my SameSite cookie?
I'm trying to explore how Google Chrome handles SameSite cookies. So by using the console (ctrl+Shift+J), I added an aditional key-value pair for the cookie of a certain website I have an account on. I inputted the following code:
document.cookie="SameSite=strict"
I checked the remaining cookie and all original key-value pairs are still there, along with the newly added "SameSite=strict" pair.
Now, the problem is that Chrome doesn't act like it is supposed to according to the specification of the SameSite cookie. For example: when I go to wikipedia.org and click on a link that directs me to the website of the cookie, I'm logged in. Normally I would not be logged in, because Chrome isn't supposed to send along the cookie due to the "SameSite=strict" pair.
Am I overlooking something?
Upvotes: 2
Views: 1723
Answers (1)
Reputation: 15599
SameSite is not a cookie value. It's a cookie flag, like httpOnly and secure. So you cannot set it like document.cookie="SameSite=strict", because that sets a value.
Try with
document.cookie="mycookie=myvalue;SameSite=strict"
You can then observe in Chrome DevTools on the Application tab under Cookies that your cookie is in fact set as SameSite=strict, as opposed to just a plain cookie.
Upvotes: 5
Related Questions
- Cookies with SameSite=None; Secure=true are not sent in all contexts. Chrome 91
- SameSite=none and insecure http cookies fail to work on Chrome
- SameSite=None not working on Chrome incognito?
- js-cookie with sameSite None & secure
- Chrome filter out SameSite:None secure cookie
- Chrome 80 allows insecure SameSite=None cookies
- Cookies without "SameSite" attribute are sent on different sub domains
- A cookie associated with a cross-site resource was set without the `SameSite` attribute
- Chrome won't send domain level cookies to server in request header
- I cant read my cookie out in google chrome but I can in all other browsers