From 306b828168b3c4ebac260fa869c799c4f0a8e928 Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst <thijs@kinkhorst.com>
Date: Tue, 15 Dec 2020 19:54:46 +0000
Subject: [PATCH] Document SameSite issues under session lost.

Closes: #1411
---
 docs/simplesamlphp-nostate.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/simplesamlphp-nostate.md b/docs/simplesamlphp-nostate.md
index 208d9d577..a3991b69e 100644
--- a/docs/simplesamlphp-nostate.md
+++ b/docs/simplesamlphp-nostate.md
@@ -101,6 +101,17 @@ What those settings should be set to depends on the application. The simplest
 way to determine it may be to look for calls to `session_set_cookie_params` in
 the application, and look at what parameters it uses.
 
+#### Browsers with SameSite=Lax as default
+
+Some browsers, notably Chrome, will default the cookie SameSite attribute to "Lax" if it
+is not set. Specifically in the context of SAML this means that cookies will not be sent
+when a POST request is performed between websites, which is typical for the SAML WebSSO
+flow. The lack of cookies will cause SimpleSAMLphp's session to be lost when receiving an
+assertion via the HTTP-POST binding.
+
+To resolve this, you can set the `session.cookie.samesite` attribute in `config.php`
+to `None`.
+
 #### A generic problem saving sessions
 
 Sometimes the problem is caused by SimpleSAMLphp being unable to load and/or save
-- 
GitLab