---
title: Set SameSite On Session Cookies
impact: HIGH
impactDescription: prevents CSRF attacks
tags: cookies, session, csrf, security, csharp
---

## Set SameSite On Session Cookies

SameSite prevents cookies from being sent in cross-site requests, mitigating CSRF.

**Incorrect (None/Lax):**

```csharp
var options = new CookieOptions
{
    SameSite = SameSiteMode.None // Vulnerable to CSRF
};
```

**Correct (Strict/Lax):**

```csharp
var options = new CookieOptions
{
    SameSite = SameSiteMode.Strict // Best security
};

// OR Lax (allows top-level navigation)
var options = new CookieOptions
{
    SameSite = SameSiteMode.Lax
};
```

**Tools:** Browser DevTools