From 21191508937fda61ffe332f676d63c5ea49f8733 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst <thijs@kinkhorst.com> Date: Fri, 14 Jan 2022 12:39:51 +0000 Subject: [PATCH] Improve SameSite docs a bit more --- config-templates/config.php | 7 +++++++ docs/simplesamlphp-nostate.md | 1 + 2 files changed, 8 insertions(+) diff --git a/config-templates/config.php b/config-templates/config.php index 8c466caaa..f76724ef9 100644 --- a/config-templates/config.php +++ b/config-templates/config.php @@ -564,6 +564,13 @@ $config = [ * the RFC6265bis SameSite cookie attribute. If set to null, no SameSite * attribute will be sent. * + * A value of "None" is required to properly support cross-domain POST + * requests which are used by different SAML bindings. Because some older + * browsers do not support this value, the canSetSameSiteNone function + * can be called to only set it for compatible browsers. + * + * You must also set the 'session.cookie.secure' value above to true. + * * Example: * 'session.cookie.samesite' => 'None', */ diff --git a/docs/simplesamlphp-nostate.md b/docs/simplesamlphp-nostate.md index 05d22776b..4f113a198 100644 --- a/docs/simplesamlphp-nostate.md +++ b/docs/simplesamlphp-nostate.md @@ -112,6 +112,7 @@ assertion via the HTTP-POST binding. To resolve this, you can set the `session.cookie.samesite` attribute in `config.php` to `None`. Starting with SimpleSAMLphp 1.19, the config template contains a way to set this dynamically based on the user's browser support for this attribute. +You also need to enable the `session.cookie.secure` setting. ### A generic problem saving sessions -- GitLab