Same site cookies
About the sameSite
cookie flag.
To ensure session cookies are protected from CSRF attacks the sameSite
cookie attribute is set.
The sameSite
cookie attribute is used to declare if your cookies should be restricted to a first-party or same-site context.
The sameSite
attribute can be set to three possible values:
none
- Cookies will be sent in all contexts, i.e cookies will be attached to both first-party and cross-origin requests.
- On Safari however, if third party cookies are blocked (which is the default behaviour), and the website and api domains do not share the same top level domain, then cookies won't go. Please check here to see how you can switch to using headers.
lax
- Cookies will only be sent in a first-party context and along with
GET
requests initiated by third party websites (that result in browser navigation - user clicking on a link).
- Cookies will only be sent in a first-party context and along with
strict
- Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
Manually set sameSite
value
caution
- SuperTokens will automatically set the value of the
sameSite
cookie attribute based on your website and api domain configration. - Please only change this setting if you are a web security expert. If you are unsure, please feel free to ask questions to us.
import SuperTokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
SuperTokens.init({
supertokens: {
connectionURI: "...",
},
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "..."
},
recipeList: [
Session.init({
cookieSameSite: "strict", // Should be one of "strict" or "lax" or "none"
}),
],
});