---
title: SameSite cookie rules
description: "For additional cookie security, enable support for applying SameSite cookie rules, as described in the internet-draft Cookies: HTTP State Management Mechanism."
component: pingam
version: 8.1
page_id: pingam:security:enable-samesite-cookies
canonical_url: https://docs.pingidentity.com/pingam/8.1/security/enable-samesite-cookies.html
keywords: ["Security", "OAuth 2.0", "SAML 2.0", "Setup &amp; Configuration"]
page_aliases: ["security-guide:enable-samesite-cookies.adoc"]
---

# SameSite cookie rules

For additional cookie security, enable support for applying *SameSite* cookie rules, as described in the internet-draft [Cookies: HTTP State Management Mechanism](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7).

You can configure the AM server to apply `SameSite` cookie rules by navigating to Configure > Server Defaults > Advanced, and setting the `com.sun.identity.cookie.samesite` property's value to one of the following:

* `strict`

  Requests originating from different sites will not have cookies sent with them.

  When this mode is enabled, any AM functionality that relies on requests being redirected back to the AM instance may not operate correctly. For example, OAuth 2.0 flows and SAML federation may not operate correctly if AM cannot access the required cookies.

* `lax`

  Cookies received from different sites cannot be accessed, unless the request is using a *top-level* request, and uses a "safe" HTTP method, such as GET, HEAD, OPTIONS, or TRACE.

* `off`

  No restrictions on the domain of cookies is applied. This is the default setting.

  You *must* disable `SameSite` support if any of the following is true:

  * You have set `Access-Control-Allow-Credentials=true` in your CORS configuration.

    For more information on configuring CORS in AM, see [Configure CORS support](enable-cors-support.html).

  * You are using SAML HTTP-POST bindings.

    For example, IDP-initiated single logout (SLO) functionality will not operate correctly if *SameSite* support is enabled, as the `iPlanetDirectoryPro` cookie would not be accessible in cross-domain POST requests. For more information on SAML single logout, see [Implement SSO and SLO](../am-saml2/saml2-sso-slo.html).

|   |                                                                                                                                                                                         |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Modern browsers only allow disabling `SameSite` if the cookie is marked as `Secure`. If you need to handle cross-site requests with cookies, you should move to HTTPS-only environment. |