New SameSite defaults in Chrome 80

hemorej · January 17, 2020, 3:57pm

Chrome 80 coming out soon will change the default cookie behaviour with regards to the SameSite attribute. I’m using sessions in Kirby currently which set a basic session cookie but without an explicit SameSite attribute. My understanding is that this will break (meaning Chrome won’t send the cookies if the attribute isn’t explicitly set to something) with the new browser update. There are no issues on Github about this so I’m not sure if anyone is aware of this issue.

Is there a way to configure the session to specify which SameSite attribute to use?

texnixe · January 17, 2020, 6:35pm

From my understanding, only the default way such requests without an explicit setting are handled changes: SameSite cookies explained | Articles | web.dev

Cookies without a SameSite attribute will be treated as SameSite=Lax .

Cookies with SameSite=None must also specify Secure , meaning they require a secure context.