diff --git a/config-templates/config.php b/config-templates/config.php
index 389485e921e78710a8c65015fd5aa7546b5f174c..1571fc50e4c5e7c5a5f0f23f3934e9b2fb185686 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -566,7 +566,7 @@ $config = [
      * through https. If the user can access the service through
      * both http and https, this must be set to FALSE.
      */
-    'session.cookie.secure' => false,
+    'session.cookie.secure' => true,
 
     /*
      * Set the SameSite attribute in the cookie.
@@ -803,7 +803,7 @@ $config = [
     'language.cookie.name' => 'language',
     'language.cookie.domain' => null,
     'language.cookie.path' => '/',
-    'language.cookie.secure' => false,
+    'language.cookie.secure' => true,
     'language.cookie.httponly' => false,
     'language.cookie.lifetime' => (60 * 60 * 24 * 900),
     'language.cookie.samesite' => \SimpleSAML\Utils\HTTP::canSetSameSiteNone() ? 'None' : null,
diff --git a/docs/simplesamlphp-upgrade-notes-1.19.md b/docs/simplesamlphp-upgrade-notes-1.19.md
index 58bf2354ead954b08a23f6d3e3b22d122ea72db4..b2cecfb796a55f6f9973d1615b97fe4069398250 100644
--- a/docs/simplesamlphp-upgrade-notes-1.19.md
+++ b/docs/simplesamlphp-upgrade-notes-1.19.md
@@ -5,3 +5,9 @@ The minimum PHP version required is now PHP 7.1.
 
 SAML 1 / Shib 1.3 support is now deprecated and will start logging notices
 when used. It will be removed in SimpleSAMLphp 2.0.
+
+SimpleSAMLphp 1.19 will automatically try to determine whether to set the sameSite-flag on cookies.
+Some browser require to set the Secure-flag as well for sameSite to work. Therefore, the default for
+the `session.cookie.secure` setting has been changed to TRUE. This will be the right setting for most
+setups anyway, however if you really need to use insecure cookies, you have to manually set it to false and
+figure out a value for `session.cookie.samesite` that works for your environment.