Recently, while working on a project involving multiple microservices for a website (let’s call it `website.com`), I encountered some interesting behavior with the `SameSite` cookie attribute.

As I experimented with different microservices, I learned firsthand how `SameSite` settings — `Strict`, `Lax`, `None` and the absence of the attribute — impact cookie behavior in modern browsers.

Not a medium member ? You can read the article for free here.

This exploration helped me troubleshoot issues, such as why some links worked seamlessly while others prompted users to sign in. In this blog post, I’ll break down the differences between these `SameSite` values, using a practical example to illustrate their effects and share insights from my experience.

The `SameSite` cookie attribute is a security feature that tells browsers whether a cookie should be sent with cross-site requests. It helps protect against Cross-Site Request Forgery (CSRF) attacks by controlling when cookies are…