---
title: Set SameSite On Session Cookies
impact: MEDIUM
impactDescription: provides fundamental protection against CSRF (Cross-Site Request Forgery) attacks
tags: cookies, samesite, csrf, session, security, php
---

## Set SameSite On Session Cookies

The `SameSite` attribute tells the browser whether or not to send cookies with cross-site requests. Setting this to `Lax` or `Strict` provides a strong baseline defense against Cross-Site Request Forgery (CSRF) by ensuring that session cookies are only sent when the request originates from your own site.

**Incorrect (no SameSite attribute):**

```php
// Insecure: defaults to browser behavior (which used to be 'None')
setcookie("session_id", $token);
```

**Correct (SameSite set):**

```php
// 1. Using setcookie (PHP 7.3+)
setcookie("session_id", $token, [
    'samesite' => 'Strict', // Or 'Lax'
    'httponly' => true,
    'secure' => true,
    'path' => '/',
]);

// 2. Global session configuration
session_set_cookie_params([
    'samesite' => 'Lax',   // Most compatible for general sites
    'httponly' => true,
    'secure' => true
]);
session_start();

// 3. In Laravel (config/session.php)
'same_site' => 'lax',
```

**SameSite Options:**

| Value | Behavior | CSRF Protection |
|-------|----------|-----------------|
| **Strict** | Cookie is never sent on cross-site requests. | **High** |
| **Lax** | Sent on top-level GET navigations (e.g. clicking a link). | **Medium** |
| **None** | Always sent (requires `Secure` flag). | **None** |

**Recommended:** Use `Strict` for sensitive banking/internal sites. Use `Lax` for general user-facing applications to ensure users remain logged in when arriving from external links.

**Tools:** OWASP ZAP, Browser DevTools, PHP Internal configuration