SameSite=strict is weird, because it means if someone follows a link to your we application they will be treated as logged out in the first page they interact with, then logged in on any subsequent navigations they make within your site.
Yes, Lax is the option when you want preventing CSRF and nothing else.
I actually don't know any use case for Strict, but it makes sense, so it's probably useful.
And None is for when you want to explicitly allow CSRF (what is useful some times).
And either way, it's best to always set that flag on sensitive cookies (not only authentication, but anything that leaks user information too), even if it's the documented default, because browsers make quite a mess of their default.
simonw|2 years ago
drekembe|2 years ago
marcosdumay|2 years ago
I actually don't know any use case for Strict, but it makes sense, so it's probably useful.
And None is for when you want to explicitly allow CSRF (what is useful some times).
And either way, it's best to always set that flag on sensitive cookies (not only authentication, but anything that leaks user information too), even if it's the documented default, because browsers make quite a mess of their default.