diff --git a/src/Microsoft.AspNetCore.Session/SessionMiddleware.cs b/src/Microsoft.AspNetCore.Session/SessionMiddleware.cs
index a9160e4..8dda333 100644
--- a/src/Microsoft.AspNetCore.Session/SessionMiddleware.cs
+++ b/src/Microsoft.AspNetCore.Session/SessionMiddleware.cs
@@ -153,6 +153,7 @@ private void SetCookie()
var cookieOptions = new CookieOptions
{
Domain = _options.CookieDomain,
+ SameSite = _options.SameSiteMode,
HttpOnly = _options.CookieHttpOnly,
Path = _options.CookiePath ?? SessionDefaults.CookiePath,
};
diff --git a/src/Microsoft.AspNetCore.Session/SessionOptions.cs b/src/Microsoft.AspNetCore.Session/SessionOptions.cs
index a025b60..b4f0a7a 100644
--- a/src/Microsoft.AspNetCore.Session/SessionOptions.cs
+++ b/src/Microsoft.AspNetCore.Session/SessionOptions.cs
@@ -36,6 +36,12 @@ public class SessionOptions
///
public bool CookieHttpOnly { get; set; } = true;
+ ///
+ /// Determines if the browser should allow the cookie to be attached to same-site or cross-site requests. The
+ /// default is Lax, which means the cookie is allowed to be attached to same-site and safe cross-site requests.
+ ///
+ public SameSiteMode SameSiteMode { get; set; } = SameSiteMode.Lax;
+
///
/// Determines if the cookie should only be transmitted on HTTPS requests.
///