From 4dc40904d061b8e8601c3b052228c13192009142 Mon Sep 17 00:00:00 2001
From: Johannes Hartmann <20248188+jhartmann123@users.noreply.github.com>
Date: Wed, 5 Aug 2020 00:55:11 +0200
Subject: [PATCH] Allow setting SameSite mode of the SessionId cookie

---
 docs/reference/options.rst                             |  3 +++
 .../Options/AuthenticationOptions.cs                   |  5 +++++
 .../src/Services/Default/DefaultUserSession.cs         | 10 +++++++++-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/docs/reference/options.rst b/docs/reference/options.rst
index 5c4ed7b66d..49215a1e89 100644
--- a/docs/reference/options.rst
+++ b/docs/reference/options.rst
@@ -56,6 +56,9 @@ Authentication
 * ``CheckSessionCookieDomain``
     The domain of the cookie used for the check session endpoint.
 
+* ``CheckSessionCookieSameSiteMode``
+    The SameSite mode of the cookie used for the check session endpoint.
+
 * ``RequireCspFrameSrcForSignout``
     If set, will require frame-src CSP headers being emitting on the end session callback endpoint which renders iframes to clients for front-channel signout notification. Defaults to true.
 
diff --git a/src/IdentityServer4/src/Configuration/DependencyInjection/Options/AuthenticationOptions.cs b/src/IdentityServer4/src/Configuration/DependencyInjection/Options/AuthenticationOptions.cs
index 7b68cca982..c77aff4ff9 100644
--- a/src/IdentityServer4/src/Configuration/DependencyInjection/Options/AuthenticationOptions.cs
+++ b/src/IdentityServer4/src/Configuration/DependencyInjection/Options/AuthenticationOptions.cs
@@ -51,6 +51,11 @@ public class AuthenticationOptions
         /// </summary>
         public string CheckSessionCookieDomain { get; set; }
 
+        /// <summary>
+        /// Gets or sets the SameSite mode of the cookie used for the check session endpoint. Defaults to SameSiteMode.None.
+        /// </summary>
+        public SameSiteMode CheckSessionCookieSameSiteMode { get; set; } = SameSiteMode.None;
+
         /// <summary>
         /// If set, will require frame-src CSP headers being emitting on the end session callback endpoint which renders iframes to clients for front-channel signout notification.
         /// </summary>
diff --git a/src/IdentityServer4/src/Services/Default/DefaultUserSession.cs b/src/IdentityServer4/src/Services/Default/DefaultUserSession.cs
index 27b5be0415..ffb395fd07 100644
--- a/src/IdentityServer4/src/Services/Default/DefaultUserSession.cs
+++ b/src/IdentityServer4/src/Services/Default/DefaultUserSession.cs
@@ -67,6 +67,14 @@ public class DefaultUserSession : IUserSession
         /// </value>
         protected string CheckSessionCookieDomain => Options.Authentication.CheckSessionCookieDomain;
 
+        /// <summary>
+        /// Gets the SameSite mode of the check session cookie.
+        /// </summary>
+        /// <value>
+        /// The SameSite mode of the check session cookie.
+        /// </value>
+        protected SameSiteMode CheckSessionCookieSameSiteMode => Options.Authentication.CheckSessionCookieSameSiteMode;
+
         /// <summary>
         /// The principal
         /// </summary>
@@ -238,7 +246,7 @@ public virtual CookieOptions CreateSessionIdCookieOptions()
                 Path = path,
                 IsEssential = true,
                 Domain = CheckSessionCookieDomain,
-                SameSite = SameSiteMode.None
+                SameSite = CheckSessionCookieSameSiteMode
             };
 
             return options;