From b8997751851a176bc08f9161985c26802ebffca4 Mon Sep 17 00:00:00 2001
From: John Luo <jt.luo@mail.utoronto.ca>
Date: Tue, 30 May 2017 20:52:15 -0700
Subject: [PATCH] Add configurable SameSite cookie option

---
 src/Microsoft.AspNetCore.Session/SessionMiddleware.cs | 1 +
 src/Microsoft.AspNetCore.Session/SessionOptions.cs    | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/src/Microsoft.AspNetCore.Session/SessionMiddleware.cs b/src/Microsoft.AspNetCore.Session/SessionMiddleware.cs
index a9160e4..8dda333 100644
--- a/src/Microsoft.AspNetCore.Session/SessionMiddleware.cs
+++ b/src/Microsoft.AspNetCore.Session/SessionMiddleware.cs
@@ -153,6 +153,7 @@ private void SetCookie()
                 var cookieOptions = new CookieOptions
                 {
                     Domain = _options.CookieDomain,
+                    SameSite = _options.SameSiteMode,
                     HttpOnly = _options.CookieHttpOnly,
                     Path = _options.CookiePath ?? SessionDefaults.CookiePath,
                 };
diff --git a/src/Microsoft.AspNetCore.Session/SessionOptions.cs b/src/Microsoft.AspNetCore.Session/SessionOptions.cs
index a025b60..b4f0a7a 100644
--- a/src/Microsoft.AspNetCore.Session/SessionOptions.cs
+++ b/src/Microsoft.AspNetCore.Session/SessionOptions.cs
@@ -36,6 +36,12 @@ public class SessionOptions
         /// </summary>
         public bool CookieHttpOnly { get; set; } = true;
 
+        /// <summary>
+        /// Determines if the browser should allow the cookie to be attached to same-site or cross-site requests. The
+        /// default is Lax, which means the cookie is allowed to be attached to same-site and safe cross-site requests.
+        /// </summary>
+        public SameSiteMode SameSiteMode { get; set; } = SameSiteMode.Lax;
+
         /// <summary>
         /// Determines if the cookie should only be transmitted on HTTPS requests. 
         /// </summary>