banner image 1 banner image 2

Problems with new SameSite cookie changes

December 27, 2022
4 mins
command
blog-img 1
Kripa K
Author

This blog will give basic understanding of the SameSite attribute in cookies and its old behaviour.

By Kripa K— “An Inquisitive learner”

Problems with new SameSite cookie changes

We are aware of Google’s launch of the SameSite updates. There were some explicit changes to the SameSite attribute to send the cookie to the third-party context. This change in turn affected lower browser versions which will be discussed in detail in this blog. Before we dive deep into the issue, let’s have a basic understanding of the SameSite attribute in cookies and its old behaviour.

What is the SameSite attribute in Cookies?

The SameSite attribute in cookies allows you to declare whether your cookie should be restricted to first-party or same-site context.

Old Behaviour:

SameSite attribute provides three different ways to control its behaviour:

  1. Strict
  2. Lax
  3. No value specified

1) Strict:

If the SameSite attribute is set as Strict, the cookie will only be sent in a first-party context which means cookies that match the domain of the current site are the ones displayed in the browser’s address bar.

2) Lax:

If the SameSite attribute is set as lax, cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third-party site) but are sent when a user is navigating to the origin site (i.e., when following a link).

3) No Value specified:

When the SameSite attribute is not specified with any value, it means that the cookie can be sent in both contexts (First and third-party context).

Issues with old behaviour:

  1. The SameSite attribute was not adopted by many developers.
  2. Since no value was set for the SameSite attribute, it allows cookies to be sent anywhere which in turn makes the site vulnerable to CSRF.

Google’s new SameSite update:

Google rolled out SameSite changes on 14th July 2020, along with the release of Chrome 84. It makes the user set the SameSite attribute explicitly if it is to be accessed by a third-party context. This update will diminish the chances of accidentally introducing CSRF vulnerabilities online and improve security against CSRF attacks. Hence the SameSite updates will protect user privacy and provide a more open and transparent experience.

Changes to the old behaviour of the SameSite cookie:

  1. The SameSite attribute should be set as none for sending the cookies to third-party context
  2. Cookies with samesite=none must also specify secure, indicating that they require a secure context.
  3. If nothing is set in SameSite, then it will take the default value as lax

This in turn made developers analyse the use case and explicitly set the SameSite attribute as none if cookies are to be sent to the third-party context.

Issues with older browser versions:

The rollout of SameSite attribute changes affected older browser versions since they are unaware of none as an attribute value. Hence these browser versions will reject a cookie (the cookie is not even set) with the SameSite attribute set as none.

List of incompatible browser versions:

  1. Chrome — Version 51 to 66
  2. UC Browser — Versions before 12.13.2
  3. Safari — Versions <= MacOs 10.14 and versions <= iOS 12

Approaches to work around incompatible Clients:

  1. Double Cookie: Setting two cookies with the same value — one with the SameSite attribute as none and the other with no value specified.
  2. User Agent Sniffing: Add functionality to check the browser version from the user agent and set the SameSite attribute accordingly.

The double cookie approach doesn’t seem to be ideal since two versions of the same cookie are maintained everywhere. Also, there is a limit on the cookie storage in the browser. Hence we have decided to go with the user agent sniffing approach which will have the functionality to detect browser versions. We can set the SameSite attribute to none if the version is compatible else no value should be set.

https://gist.github.com/kripz97/b545a2c3bfc163eb4979a727d6cc5c58

This method covers browsers that we use frequently. This will mostly reduce the browser incompatibility issues we face with SameSite attribute changes.

References:

[embed]https://www.chromium.org/updates/same-site/incompatible-clients/[/embed][embed]https://www.chromium.org/updates/same-site/incompatible-clients/[/embed][embed]https://www.chromium.org/updates/same-site/incompatible-clients/[/embed]

Meet the team!

Author

Kripa K

Reviewed by

Harinniy Gopikannan

Editor

Seema Jain

We at CaratLane are solving some of the most intriguing challenges to make our mark in the relatively uncharted omnichannel jewellery industry. If you are interested in tackling such obstacles, feel free to drop your updated resume/CV to careers@caratlane.com
blog-img 2

Discussions

blog-img 3
5 mins
May 17, 2023
Sharing Data Between Controllers: Best Practices S...

This article will help you to understand the diffe

By Naveen C

blog-img 3
5 mins
March 21, 2023
Understanding Auto Layout and Constraints in Swift...

This article gives you an easy way of understandin

By Ramasamy P