From e837a77124c6a5d23b19050a6594ce9bd433d261 Mon Sep 17 00:00:00 2001
From: Nathan van der Werf <nvanderwerf93@gmail.com>
Date: Wed, 15 Aug 2018 00:00:02 +0200
Subject: [PATCH 1/2] Add Same-Site Cookie configuration option

---
 config/session.php | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/config/session.php b/config/session.php
index 3ee92a9819..a9eba5867e 100644
--- a/config/session.php
+++ b/config/session.php
@@ -150,4 +150,19 @@
 
     'secure' => false,
 
+    /*
+    |--------------------------------------------------------------------------
+    | Same-Site Cookies
+    |--------------------------------------------------------------------------
+    |
+    | This option determines how your cookies behave when cross-site requests
+    | take place, and can be used to mitigate CSRF attacks. By default, we
+    | do not enable this as other CSRF protection services are in place.
+    |
+    | Supported: "lax", "strict"
+    |
+    */
+
+    'same_site' => null,
+
 ];

From 8775b8bffaccb237e18fcf4bfa92b17ea4cc458b Mon Sep 17 00:00:00 2001
From: Nathan van der Werf <nvanderwerf93@gmail.com>
Date: Thu, 16 Aug 2018 08:32:25 +0200
Subject: [PATCH 2/2] Add more information about lax / strict mode to phpdoc

---
 config/session.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/session.php b/config/session.php
index a9eba5867e..ef0589eec2 100644
--- a/config/session.php
+++ b/config/session.php
@@ -159,6 +159,10 @@
     | take place, and can be used to mitigate CSRF attacks. By default, we
     | do not enable this as other CSRF protection services are in place.
     |
+    | In the strict mode, the cookie is not sent with any cross-site usage
+    | even if the user follows a link to another website. Lax cookies are
+    | only sent with a top-level get request.
+    |
     | Supported: "lax", "strict"
     |
     */