This configures the samesite cookie attribute of cookies set by DokuWiki.

• Type: String
• Default: Lax

Quoting MDN:

With Strict, the browser only sends the cookie with requests from the cookie's origin site. Lax is similar, except the browser also sends the cookie when the user navigates to the cookie's origin site (even if the user is coming from a different site). For example, by following a link from an external site. None specifies that cookies are sent on both originating and cross-site requests, but only in secure contexts (i.e., if SameSite=None then the Secure attribute must also be set). If no SameSite attribute is set, the cookie is treated as Lax.

Please note that leaving the attribute empty might differ slightly from Lax depending on Browser implementation details.

Quoting Michitux on the pull request implementing this feature:

Chrome's SameSite=Lax by default behavior sends cookies that are less than two minutes old in top-level cross-origin POST requests. According to SameSite Updates, this should be temporary but I couldn't find any information about this actually being phased out.

• Configuring DokuWiki
• Configuration Setting: securecookie