Secure Cookies & Sessions (with Strict, Lax, None samesite)

Secure Cookies & Sessions (with Strict, Lax, None samesite)
This plugin will apply secure flags on all cookies and the PHPSESSID session cookie for secure cookies under HTTPS - a common requirement of PCI DSS scanners.

Will make sure your cookies do not leak into HTTP and vise-versa.

This is now a requirement for PCI Compliancy, and also Chrome 80 will require "samesite=none, secure" on all cookies -

Strict, Lax or None - SameSite Setting
the OCMOD version of this mod is split into 3 different packages, Strict, None and Lax.
Browsers recently changed default cookie behaviour from None to Lax by default, which presents some serious issues in specific cases. If your unsure which version to use please use the None version.

If you use any third-party redirect such as a payment gateway which POST back to your site, you will need to use SameSite None package.

Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.

Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.

Cookies will be sent in all contexts, i.e sending cross-origin is allowed.

None used to be the default value, but recent browser versions made Lax the default value to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

VQMOD (OC 2.x) - Just drop the xml into your vqmod/xml folder
OCMOD (OC 2.x - 3.x) - install it via the OCMOD interface and that's it!

What customers say about Secure Cookies & Sessions (with Strict, Lax, None samesite)

Great extension and a MUST for all OC websites.


  • Developed by OpenCart Community
  • 1 Months Free Support
  • Documentation Included



Last Update
23 Feb 2021

19 Aug 2020
23 Sales
Member since: 7 Mar 2015

View all extensions Get Support