Same site cookies
SuperTokens will automatically set the value of the
sameSitecookie attribute based on your website and api domain configration.
To ensure session cookies are protected from CSRF attacks the
sameSite cookie attribute is set.
sameSite cookie attribute is used to declare if your cookies should be restricted to a first-party or same-site context.
sameSite attribute can be set to three possible values:
- Cookies will be sent in all contexts, i.e cookies will be attached to both first-party and cross-origin requests
- Cookies will only be sent in a first-party context and along with GET requests initiated by third party websites. It is important to note that in the second case, to send a cookie with a GET request initiated by third party website, the GET request must be made by top level navigation(user clicking on a link).
- Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
You can manually set the
sameSite value when configuring the Session recipe in your backend code:
Config for Nodejs
let SuperTokens = require("supertokens-node");
let Session = require("supertokens-node/recipe/session");
cookieSameSite: "strict" | "lax" | "none";