Browser Cookie SameSite Errors — Cross-Site Cookie Blocking
About Browser Cookie SameSite Errors
Fix cookie SameSite errors including 'cookie was not set because it did not have a SameSite attribute', cross-site cookie rejection, and third-party cookie blocking. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: SameSite attribute controls when cookies are sent with cross-site requests. SameSite values: Strict (never cross-site), Lax (top-level navigation only), None (always, requires Secure). Chrome defaults cookies without SameSite to Lax since Chrome 80. SameSite=None requires the Secure attribute (cookie only sent over HTTPS). Third-party cookie deprecation will eventually block all cross-site cookies. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Cookie set without SameSite attribute, defaulting to Lax and breaking cross-site use. SameSite=None set without Secure attribute (required combination). Third-party cookie blocking by browser settings or privacy extensions. Cross-site iframe or redirect losing cookies due to SameSite enforcement. OAuth flows broken because auth cookies are not sent in cross-site redirects. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Set SameSite explicitly: Set-Cookie: name=value; SameSite=None; Secure (for cross-site need). For same-site only cookies: Set-Cookie: name=value; SameSite=Lax (default, most cases). Ensure Secure flag is set when using SameSite=None (HTTPS required). For OAuth: ensure callback URLs match the cookie's site to use SameSite=Lax. Test in Chrome DevTools > Application > Cookies — 'Issues' tab shows SameSite warnings. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Browser Errors collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
What is the difference between Strict, Lax, and None?
Strict: cookie never sent cross-site. Lax: sent only on top-level navigation (clicking a link). None: always sent (requires Secure flag).
Overview
Fix cookie SameSite errors including 'cookie was not set because it did not have a SameSite attribute', cross-site cookie rejection, and third-party cookie blocking.
Key Details
- SameSite attribute controls when cookies are sent with cross-site requests
- SameSite values: Strict (never cross-site), Lax (top-level navigation only), None (always, requires Secure)
- Chrome defaults cookies without SameSite to Lax since Chrome 80
- SameSite=None requires the Secure attribute (cookie only sent over HTTPS)
- Third-party cookie deprecation will eventually block all cross-site cookies
Common Causes
- Cookie set without SameSite attribute, defaulting to Lax and breaking cross-site use
- SameSite=None set without Secure attribute (required combination)
- Third-party cookie blocking by browser settings or privacy extensions
- Cross-site iframe or redirect losing cookies due to SameSite enforcement
- OAuth flows broken because auth cookies are not sent in cross-site redirects
Steps
- 1Set SameSite explicitly: Set-Cookie: name=value; SameSite=None; Secure (for cross-site need)
- 2For same-site only cookies: Set-Cookie: name=value; SameSite=Lax (default, most cases)
- 3Ensure Secure flag is set when using SameSite=None (HTTPS required)
- 4For OAuth: ensure callback URLs match the cookie's site to use SameSite=Lax
- 5Test in Chrome DevTools > Application > Cookies — 'Issues' tab shows SameSite warnings