Skip to main content

Same site cookies

About the sameSite cookie flag.#

To ensure session cookies are protected from CSRF attacks the sameSite cookie attribute is set.

The sameSite cookie attribute is used to declare if your cookies should be restricted to a first-party or same-site context. The sameSite attribute can be set to three possible values:

  • none
    • Cookies will be sent in all contexts, i.e cookies will be attached to both first-party and cross-origin requests.
    • On Safari however, if third party cookies are blocked (which is the default behaviour), and the website and api domains do not share the same top level domain, then cookies won't go. Please see this GitHub issue to know about workarounds - one of the workarounds is also described here.
  • lax
    • Cookies will only be sent in a first-party context and along with GET requests initiated by third party websites (that result in browser navigation - user clicking on a link).
  • strict
    • Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.

Manually set sameSite value#

caution
  • SuperTokens will automatically set the value of the sameSite cookie attribute based on your website and api domain configration.
  • Please only change this setting if you are a web security expert. If you are unsure, please feel free to ask questions to us.
let SuperTokens = require("supertokens-node");let Session = require("supertokens-node/recipe/session");
SuperTokens.init({    supertokens: {...},    appInfo: {...},    recipeList: [        Session.init({          cookieSameSite: "strict" | "lax" | "none";     ]});