Manual:SameSite cookies

SameSite is a recent addition to the syntax of HTTP cookies. If a cookie is marked as SameSite=Lax or SameSite=Strict, the browser will not send it with cross-domain requests. (The difference between the two is in the interpretation of "cross-domain": for Lax, it only covers "hidden" requests such as AJAX or iframes, while for Strict, top-level user navigation such as clicking on a link going to another domain is also included.) Browsers are planning to default cookies with no SameSite specification to Lax; as of 2020 autumn, Chrome is the only one actually doing it.^[1] Sites running over multiple domains that are not prepared for this change might experience various issues, such as authentication failures. (Sites running on a single domain will not be affected.)

As of 1.34, MediaWiki supports setting the SameSite flag on cookies. The default for authentication-related cookies is determined by the $wgCookieSameSite setting. Setting this to None (and enabling $wgForceHTTPS , as use of secure HTTPS cookies is required by browsers for SameSite=None) can fix issues such as MediaWiki seeing the user as not logged in when using cross-domain features. Setting the flag on non-authentication cookies is the responsibility of the code handling the cookie; this can only be decided individually, and in most cases it is not needed.

Browsers can show various warnings on cookies which do not have the SameSite flag, e.g. Firefox tends to show errors like this in the developer console: Cookie "<name>" will be soon rejected because it has the "sameSite" attribute set to "none" or an invalid value, without the "secure" attribute. This is a confusing and poorly worded message; what it is supposed to mean is that the cookie will soon be treated as SameSite=Lax and thus not sent with cross-domain AJAX requests. For most non-authentication cookies this is not a problem and the warning can be ignored.

It might be worth to explicitly set SameSite=Lax to get rid of the warning, though.

In PHP, to set the SameSite flag on a cookie, use WebResponse::setCookie() with $options['sameSite'] = 'lax' or similar. To take $wgUseSameSiteLegacyCookies compatibility cookie into account when reading cookies, use WebRequest::getCrossSiteCookie() instead of WebRequest::getCookie().

In Javascript, use the sameSite property of the options object passed to $.cookie to set the SameSite flag on a cookie.

• https://samesite-sandbox.glitch.me/ can be used to check a browser's standard compliance. With the new default-to-Lax SameSite behavior, it should be all green.
• Set specific SameSite handling behavior for testing:
  • Chrome: same-site-by-default-cookies and cookies-without-same-site-must-be-secure flags (see also their debugging tutorial)
  • Firefox: network.cookie.sameSite.laxByDefault and network.cookie.sameSite.noneRequiresSecure configuration keys

• Documentation on MDN
• caniuse browser stats and docs
• The draft standards for SameSite and for defaulting to Lax.
• Manual:HTTPS
• Main task for SameSite issues: T255366

• Manual