Room 5 - Level 5

13:40 - 14:40 (UTC-11)

Talk (60 min)

A Deep Dive Into SameSite Cookies, What They Are and Why They Matter

Although they’ve been around for years, SameSite cookies hadn’t gained much attention until September 2019. The Chrome team announced their plans to set ‘SameSite=Lax’ on all cookies without the SameSite attribute in Chrome 80, scheduled to release in February 2020. The rollout was delayed due to COVID-19 until July 2020, and was finally completed in August 2020. With many developers still unaware of this setting and how it works, it is still likely to catch a lot of us unawares with broken sites and weird behaviours.


In this session we will learn about the SameSite cookie attribute and why it is so important to securing your site. We’ll see why ‘Lax’ is the best default to use, and when you’d want to use ‘Strict’ and ‘None’ instead. Additionally, we will cover the edge cases and weird behaviours that can easily cause confusion and seemingly weird bugs. By the end of the session, you’ll know how to properly configure SameSite on your cookies, to ensure your site takes advantage of the security benefits without breaking expected functionality.

Stephen Rees-Carter

Stephen has been a PHP developer for many long years and still loves working with PHP every day. His latest project, Laravel Security in Depth, teaches Laravel developers about security concepts. He’s worked on a number of security products (including Wordfence, the most popular WordPress security plugin), large SaaS applications, single-use disposable apps, and even spent a year cleaning infected WordPress sites for fun! Stephen is a Certified Ethical Hacker and loves teaching non-security people how to think like a hacker by showing just how easy it is to hack into insecure things, both digital and physical!