Cookies and Iframes

Marcos Abel
Published in
4 min readJul 13, 2020

Photo by Clem Onojeghuo on Unsplash

It’s been a while since the last time you had the pleasure of having your application consumed from an Iframe. But some legacy application “needs” to do exactly that. You test the “integration” and it doesn’t work. The cookies for the requests made by the Iframe don’t make its way to the server.

Sounds Familiar? It happened to me some time ago and it took some digging around to understand and diagnose the problem. This kind of scenario used to work without problems but now, with modern browsers, you need to do a couple of things to make your iframed stuff work properly.


When I bump into this kind of problem I usually appreciate finding a post that offers a solution as fast as possible so here it goes:

Set-Cookie: session=your_session; SameSite=None; Secure 

You need to set your cookie with the attributeSameSite=None and also including the attribute Secure.

In Spring Boot

Understanding the problem

Now, with the problem already solved, we can use a couple of minutes to understand what we have just done.

First-party and Third-party cookies

Cookies that match the domain of the current site are referred to as first-party cookies. Cookies from domains other than the current site are referred to as third-party cookies.

For a long time, both kinds of cookies were treated equally: every time you request an URL all the cookies for that URL were sent with the request. There are a variety of problems associated with this behavior:

  • Allows Cross-site request forgery (CSRF) attacks.
  • Adds overhead to the request, sending potentially unneeded stuff.
  • Can be used to track user activity across multiple sites.

State cookie usage with the SameSite attribute

Marcos Abel
Editor for

Co founder@ Trabe Soluciones

Recommended from Medium


See more recommendations