Disable SameSite setting for session cookies

The php session cookie should not have the samesite lax or strict setting. As this would prevent the session cookie from being present when the remote azure mfa idp sends back a SAML response. See: https://www.pivotaltracker.com/story/show/171721565
OpenConext · Mar 10, 2020 · e5ba28c · e5ba28c
1 parent 58554e6
commit e5ba28c
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
@@ -8,7 +8,9 @@ framework:
     session:
         handler_id: null
         cookie_secure: auto
-        cookie_samesite: lax
+        # SameSite is set to null, which equals none. As we must allow receiving a session cookie from the (trusted)
+        # remote Azure MFA IdP's
+        cookie_samesite: null
     assets: ~
     #esi: true
     fragments: true