Improve SameSite docs a bit more

(cherry picked from commit 21191508)

Improve SameSite docs a bit more
adb645b8 · Thijs Kinkhorst · e3057328 · adb645b8 · adb645b8
Commit adb645b8 authored 3 years ago by Thijs Kinkhorst
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -575,6 +575,13 @@ $config = [
     * the RFC6265bis SameSite cookie attribute. If set to null, no SameSite
     * attribute will be sent.
     *
+     * A value of "None" is required to properly support cross-domain POST
+     * requests which are used by different SAML bindings. Because some older
+     * browsers do not support this value, the canSetSameSiteNone function
+     * can be called to only set it for compatible browsers.
+     *
+     * You must also set the 'session.cookie.secure' value above to true.
+     *
     * Example:
     *  'session.cookie.samesite' => 'None',
     */

--- a/docs/simplesamlphp-nostate.md
+++ b/docs/simplesamlphp-nostate.md
@@ -112,6 +112,7 @@ assertion via the HTTP-POST binding.
 To resolve this, you can set the `session.cookie.samesite` attribute in `config.php`
 to `None`. Starting with SimpleSAMLphp 1.19, the config template contains a way to
 set this dynamically based on the user's browser support for this attribute.
+You also need to enable the `session.cookie.secure` setting.

 ### A generic problem saving sessions