google has started deprecating Third party cookies (samesite=none essentially) in 2024. You might be among the 1% experiment. that might explain why it's working anymore. I wrote about this here and left resources too. medium.com/@hnasr/google-is-deprecating-3rd-party-cookies-d987603607a7
Yeah, I just noticed. I have a web application in nextjs and django. It's working fine on Firefox and GNOME Web (a.k.a. Safari lol), but it's authentication stopped working on Chromium (cookies aren't being set). Thanks man!
00:04 - Understanding SameSite cookie attributes and their impact on web functionality. 01:47 - Explains SameSite cookie behavior with strict settings during login. 03:32 - SameSite Strict attribute prevents cookies from being sent on same-site requests. 05:18 - Understanding top-level navigation issues with SameSite cookie attributes. 06:57 - Understanding SameSite cookie behavior with examples of Lax and None attributes. 08:53 - SameSite=None allows cross-site requests, posing security risks like CSRF. 10:44 - Chrome 80 changes how cookies are sent without SameSite attribute. 12:29 - SameSite cookie settings impact resource sharing and authentication.
Hussein go bless for explaining this feature so nicely. Even after reading/watching 10's of video - the concept was not clear. Seriously you did a great job explaining it so easily with a practical example
Still Having trouble with SameSite? Rowan from Google is willing to help one-on-one check his twitter twitter.com/rowan_m/status/1280821505757044736?s=21
Thanks, Hussein! Definitely happy to chat with people. Hearing about the issues people are having helps me in turn improve the documentation and samples too.
@@FLUTTERMAD Domain and Path specify requirements for the request with the cookie, SameSite specifies a requirement for the *context* of the request. e.g. Domain can control if the cookies goes to sub1.example.com or sub2.example.com while SameSite specifies if the cookie should go to sub1.example.com when the request comes from another site, like google.com.
Thanks a lot brother, I recently made a new website and the front end and backend are hosted on two different services, I was breaking my head over why the browser was not sending cookies. This explains why. I guess I have to use some other way, since google deprecated cross site cookies
This is how you explain things!!!!! Thank you so much 🙏🙏🙏. Google Chrome team should use this as their office video because their video is just a crap.
Still don't know why there's cookie for the second site referencing image from the first one when both are open in chrome. But when one is open in chrome & 2nd in fox it doesn't seem to work.
what makes the image display only with the cookie? I thought the cookie being strict means it lets you access the cookie itself from the same site only. where is the code for the img, and how do you make it follow the cookie settings?
@hnasr usually when you visit a site, the server will send the cookie to the browser right. But in the video, you have mentioned several times that "Browser" will not send the cookie if it's cross site. Can you explain on this please ?
Please some one clear my doubt, The image of one domain is getting loaded on another domain if the attribute Same-site has the value None right but what about the SOP (Same Origin Policy) ain't it gonna block the responses from cross domain ?
Thank brother I really appreciate your work and get a lot of experience from you, my question is isn't cookies shloud just work for the same domain?، I mean it shouldn't be exists if you open a new tab for another domain
What if we want to make any request from Domain A through api call to fetch information from Domain B when same site = Strict ? what is the way to achieve the same
Is it possible to access samesite lax cookie in case api is integrated with openid connect for single sign on. Currently why they are inaccessible because oidc url auto redirects to my api and at that time api try to read the cookies at server side. Any suggestions on this please??
Is it possible they have patched this? I can't get cross-site cookies working! I used your express file and uploaded to render. Then I also made a GitHub page with an image src pointing to the render https link, but the cookie is never sent!!
Thanks for the explanation Hussein. I got one question ..if someone is using my site login page on their website then who would set the samesite : none (I as a site owner or the one who is using our login page). Could you please help me find this. I have set in my code samesite:none but when I am trying to login through their site it still showing samesite:Lax while when I login through mysite changes are reflecting as none
why redirection to a site not working when same site is lax but the request from another site is 'post'? will this works only for 'GET'? Iam getting issue when my my site is redirected from a payment gateway. They are redirecting using a POST request.
AMR K Post requests won’t send lax cookies to cross site, there is however an exception if those lax cookies are created within two minutes A SameSite Cookie Exception was made to avoid Redirect Loop in Single Sign-On (SSO) Let us Discuss ua-cam.com/video/4QiD8cvzCN0/v-deo.html
You can’t that is the security aspect of cookies. They are set by the owner of the domain You can set the cookie from the client side with Javascript document.cookie but still you would have injected some code to do so in someone else’s domain
I need same site mode strict but then my redirection from a payment site is not working. Is there any solution to keep it working without changing same site strict mode?
I think its safe to use lax for your use case since you are redirecting. I don’t know if you can use strict and still send the cookies while redirecting..
@@hnasr Hmm but according to owasp.org/www-community/attacks/csrf#other-http-methods, JavaScript is subject to same-origin policy. ...which means if AJAX is used to make a request from your other origin (hnasr.github.io), it won't be executed in the first place.
google has started deprecating Third party cookies (samesite=none essentially) in 2024. You might be among the 1% experiment. that might explain why it's working anymore. I wrote about this here and left resources too.
medium.com/@hnasr/google-is-deprecating-3rd-party-cookies-d987603607a7
Yeah, I just noticed. I have a web application in nextjs and django. It's working fine on Firefox and GNOME Web (a.k.a. Safari lol), but it's authentication stopped working on Chromium (cookies aren't being set). Thanks man!
Thanks a bunch - just what I needed! I found the explanation in a lot of places but the visuals really clarified it for me.
00:04 - Understanding SameSite cookie attributes and their impact on web functionality.
01:47 - Explains SameSite cookie behavior with strict settings during login.
03:32 - SameSite Strict attribute prevents cookies from being sent on same-site requests.
05:18 - Understanding top-level navigation issues with SameSite cookie attributes.
06:57 - Understanding SameSite cookie behavior with examples of Lax and None attributes.
08:53 - SameSite=None allows cross-site requests, posing security risks like CSRF.
10:44 - Chrome 80 changes how cookies are sent without SameSite attribute.
12:29 - SameSite cookie settings impact resource sharing and authentication.
Hussein go bless for explaining this feature so nicely. Even after reading/watching 10's of video - the concept was not clear. Seriously you did a great job explaining it so easily with a practical example
Gagan Gupta Hi Gogan! I am happy the video helped 😊 have a great day
I checked for this topic on many channels but got it clear from here.....thanks hussein.
Finally I understood this concept... Thanks for this great explanation 👍
❤️
Thank u sooo much sir. I was searching for it the whole day but I didn't understand before u explained it. It's really precious
Still Having trouble with SameSite? Rowan from Google is willing to help one-on-one check his twitter twitter.com/rowan_m/status/1280821505757044736?s=21
Thanks, Hussein! Definitely happy to chat with people. Hearing about the issues people are having helps me in turn improve the documentation and samples too.
What if cookies are available for specified domain or path, but SameSite is Lax/None?
@@FLUTTERMAD Domain and Path specify requirements for the request with the cookie, SameSite specifies a requirement for the *context* of the request. e.g. Domain can control if the cookies goes to sub1.example.com or sub2.example.com while SameSite specifies if the cookie should go to sub1.example.com when the request comes from another site, like google.com.
Thanks a lot brother, I recently made a new website and the front end and backend are hosted on two different services, I was breaking my head over why the browser was not sending cookies. This explains why. I guess I have to use some other way, since google deprecated cross site cookies
Subscribed. ChatGPT failed to explain this concept. Thanks dude.
That excitement level for domain name 😂😂😂😂😂
Very well explained in detail with good example ❤️👍🏻
Finally I understand about sameSite parameter, Thx man you save the day
This is how you explain things!!!!! Thank you so much 🙏🙏🙏. Google Chrome team should use this as their office video because their video is just a crap.
Thanks for making a clear explanation of SameSite!
Still don't know why there's cookie for the second site referencing image from the first one when both are open in chrome. But when one is open in chrome & 2nd in fox it doesn't seem to work.
This is one of the best illustration for the usage of samesite.
thanks
Rohan Dvivedi thanks Rohan
Amazing explanation. Thank you Nasser sir.
this is an excellent video explaining the same-site policy of cookies!
thanks god! I learned this in collage that i paid a lot of money. and now it the first time i really understand this issu . thank you
Thank you sir. You are a gentleman and a scholar.
Is that a Norm joke by any chance? :D
Thank you! It's very clear now what that cookie with sameSite do
Node would throw a typo. But samesite or SameSite works fine..
Best video for samesite Attribute (Cookies)
The perfect explain, GOOD JOB and thank you.
Yeah, it really gets weird with authentication, been having issues lately with my spring boot and nextjs , but thanks I understand them now
Superior content as always.
Thanks Bryan !
Wow, you are great man. What a perfect explanation. Thanks!
@hnasr The server setup things you mentioned at ~ 1.56m, which of your video teaches such server setups? You have many videos
Thank you for the information. It was really useful.
Thanks brother, You saved a lot of time for me :)
what makes the image display only with the cookie? I thought the cookie being strict means it lets you access the cookie itself from the same site only. where is the code for the img, and how do you make it follow the cookie settings?
@hnasr usually when you visit a site, the server will send the cookie to the browser right. But in the video, you have mentioned several times that "Browser" will not send the cookie if it's cross site. Can you explain on this please ?
haha thanks for the tutorial and positive energy :D
Beautifully visualized!
Excellent presentation. Thank you 😁
Brilliant explanation!!!
The best explanation i love it so much
Amazing explaination !! thanks a ton!!!
What a perfect explanation. Thanks.
Please some one clear my doubt, The image of one domain is getting loaded on another domain if the attribute Same-site has the value None right but what about the SOP (Same Origin Policy) ain't it gonna block the responses from cross domain ?
Thank brother I really appreciate your work and get a lot of experience from you, my question is isn't cookies shloud just work for the same domain?، I mean it shouldn't be exists if you open a new tab for another domain
Correct ! Cookie are domain specific, but 3rd party cookies were invented for tracking purposes
Thanks for this perfect explanation. just perfect
What if we want to make any request from Domain A through api call to fetch information from Domain B when same site = Strict ? what is the way to achieve the same
Great example! Many thanks
beautifully explained..thanks
Is it possible to access samesite lax cookie in case api is integrated with openid connect for single sign on. Currently why they are inaccessible because oidc url auto redirects to my api and at that time api try to read the cookies at server side. Any suggestions on this please??
Is it possible they have patched this? I can't get cross-site cookies working! I used your express file and uploaded to render. Then I also made a GitHub page with an image src pointing to the render https link, but the cookie is never sent!!
Great explanation, thanks for sharing.
Good explanation , Thank you so much
Thanks for the explanation Hussein. I got one question ..if someone is using my site login page on their website then who would set the samesite : none
(I as a site owner or the one who is using our login page). Could you please help me find this.
I have set in my code samesite:none but when I am trying to login through their site it still showing samesite:Lax while when I login through mysite changes are reflecting as none
Hi , I have a small doubt . What would be the case when it is not Secure . Please let me know the behavior when both are communicating with HTTP
If same site attribute is set to lax the browser is sending the cookie then how it prevent csrf?
nice explanation keep it up dude
why redirection to a site not working when same site is lax but the request from another site is 'post'?
will this works only for 'GET'?
Iam getting issue when my my site is redirected from a payment gateway. They are redirecting using a POST request.
AMR K Post requests won’t send lax cookies to cross site, there is however an exception if those lax cookies are created within two minutes
A SameSite Cookie Exception was made to avoid Redirect Loop in Single Sign-On (SSO) Let us Discuss
ua-cam.com/video/4QiD8cvzCN0/v-deo.html
How Can we access the cookies in request header with httpOnly ?? Plz help i m in trouble to get these cookies in all request header
@hussein Nasser: Does this applies to webscoket?
Hi Nasser, I have a question, How is https in the video implemented? No certificate is imported in the source code.
Hey , I skipped that part since I explained it on other videos ua-cam.com/video/b35Dcz91ItE/v-deo.html
@@hnasr thank you very much 🙏
Brilliant explanation, thanks.
Glad it was helpful!
Thanks for the great example. But how do you set these properties on a site with a drag-and-drop site builder is the real question?
This is done on the backend. Drag and drop stuff is just the page that is being sent to the user.
@@urssaf343 agree to that. A tutorial about how it's done on the back end will be very appreciated. Or it's too much to ask?!
@@vladislavgerginov748 Lookup course from Mosh Hamedani: restful apis with express.
Hi, does thed same site attribute provide protection on all browsers like IE, Firefox or just chrome latest
nvn dnt Correct all browsers now supports it except for IE developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Very impressive explanation, but how do you set a cookie with a domain other than your own?
You can’t that is the security aspect of cookies. They are set by the owner of the domain
You can set the cookie from the client side with Javascript document.cookie but still you would have injected some code to do so in someone else’s domain
I need same site mode strict but then my redirection from a payment site is not working.
Is there any solution to keep it working without changing same site strict mode?
I think its safe to use lax for your use case since you are redirecting. I don’t know if you can use strict and still send the cookies while redirecting..
good explanation thanks!
Greetings from Brazil!
Nice work @ Hussein
I am getting HTTP error 405, any advices?
Excellent example with IMG and A, a question, How about IFRAME and AJAX?
Desarrollador Rápido both are very similar to IMG. Thanks!
I see, thank you.
@@hnasr Hmm but according to owasp.org/www-community/attacks/csrf#other-http-methods, JavaScript is subject to same-origin policy. ...which means if AJAX is used to make a request from your other origin (hnasr.github.io), it won't be executed in the first place.
too good. thanks for this video!
How do we set samesite = none?
Sir please make a video on how to access cookie from other website.
Means how cross-site is done.
🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏
Thanks for the explanation
That's the best explanation ever! Well done my friend. Keep it going
This is nice explanation
But there is a room for explanation around the cookies being set while calling login api
BRILLIANT !!
Stating the obvious here but this is a HTTPS only feature, so the flags won't work in any dev environments that don't have https configured
Thanks for this bro...
Thanks sir, very helpful
Thanks for the video
same-site = None useless? i'd say no. Its pretty useful during development phase when your frontend and backend are running at different ports
you can keep the devtools open!
Very nice 👍
excellent thank you
Thanks Boss!
Thanks :)
Thanks
thanks!!
❤️
thanks
haha. master
cmd+/
SUBSCRIBER ++