From 6000af5152e54156fae6ed25851e255d1f5ff0f3 Mon Sep 17 00:00:00 2001
From: Michiel Kodde <mkodde@ibuildings.nl>
Date: Tue, 10 Mar 2020 13:18:20 +0100
Subject: [PATCH] Disable SameSite setting for session cookies

The php session cookie should not have the samesite lax or strict
setting. As this would prevent the session cookie from being present
when the remote azure mfa idp sends back a SAML response.

So it is set to the for now advisable 'none' setting. Combined with the
secure setting, this will be accepted by modern browsers.

See:
https://www.pivotaltracker.com/story/show/171721565
https://github.com/symfony/symfony/pull/31475
---
 config/packages/framework.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
index b64ac3d6..f8fea6e7 100644
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -8,7 +8,9 @@ framework:
     session:
         handler_id: null
         cookie_secure: auto
-        cookie_samesite: lax
+        # SameSite is set to none. As we must allow receiving a session cookie from the (trusted)
+        # remote Azure MFA IdP's
+        cookie_samesite: 'none'
     assets: ~
     #esi: true
     fragments: true