I have many cookies that are used in a third-party context. I recently updated how we set cookies to be SameSite compliant. However, I still have many older cookies out there that were set prior to this change meaning they don't have a SameSite attribute explicitly set. When the SameSite changes all roll out, will I still be able to access those old cookies?
Thanks for your help!
Existing cookies without a SameSite attribute will have the default behaviour of SameSite=Lax applied to them, meaning they will be restricted to same-site or first-party contexts only. If you only need cookies on your site, e.g. sessions, local CSRF tokens, preferences, etc. then this is most likely fine - though it's good practice to explicitly set SameSite.
If you need those cookies in any kind of cross-site or third-party context, e.g. embedded in an iframe, an img, a fetch(), etc. from a different site then you definitely do need to add SameSite=None; Secure or those existing cookies will not be included on those cross-site requests.
More information is available on: