Test SameSite-by-Default and “SameSite=None; Secure” Cookies Impact on Your Site

Background: With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections.

Here is an overview of the steps you can take to test your site against Chrome’s new SameSite-by-default cookie behaviour, and tips for debugging cookie issues that may be related. Please use Chrome 80 or newer (Beta included). (Older versions of Chrome may implement subtly different SameSite behaviour, particularly for Chrome extensions, and may not include the debugging tools mentioned below.) You can check your version number by typing chrome://version in to the browser bar.

Enable the new SameSite behaviour:

1. 1. Go to chrome://flags and search for #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Set both of them to “Enabled”.
   2. Restart Chrome for the changes to take effect.
   3. Verify that your browser is applying the correct SameSite behavior by visiting this test site and checking that all rows are green.
   4. Thoroughly test site functionality, with a focus on anything involving federated login flows, multiple domains, or cross-site embedded content (images, videos, etc.).