Setting Same-Site cookie attribute to Lax

Is setting Same-Site attribute of a cookie to lax the same as not setting the Same-Site attribute?

In Google Chrome < 76 – no. Setting SameSite=lax is safer than omitting the attribute. (But if your implementation currently relies on cross-origin requests, double-check that adding the attribute doesn't break anything.)

Here are the differences:

  • When you don't set the SameSite attribute, the cookie is always sent.

  • With SameSite=lax, the cookie is only sent on same-site requests or top-level navigation with a safe HTTP method. That is, it will not be sent with cross-domain POST requests or when loading the site in a cross-origin frame, but it will be sent when you navigate to the site via a standard top-level <a href=...> link.

  • With SameSite=strict (or an invalid value), the cookie is never sent in cross-site requests. Even when clicking a top-level link on a third-party domain to your site, the browser will refuse to send the cookie.

Starting with Chrome 76, your browser has an option to make no SameSite behave like Samesite=Lax. This will be default in Chrome 80. From the feature description:

The Stable version of Chrome 80 is targeted for enabling this feature by default. The feature will be enabled in the Beta version only, starting in Chrome 78. This feature is available as of Chrome 76 by enabling the same-site-by-default-cookies flag.

Also have a look at the RFC draft and Sjoerd's blog post.

This is currently changed in Chrome - and this means that not setting SameSite is actually considered LAX.