Description
Symfony version(s) affected: 4.2-BETA1
Description
Newly created sessions correctly get a samesite attribute in the cookie when configured in the framework, but once a session is migrated session_regenerate_id() is called, and the custom hook for adding samesite to the cookie in \Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage::start is not called, so the new session cookie doesn't have the samesite attribute anymore :(
How to reproduce
In a new Symfony 4.2 project set framework.session.cookie_samesite to lax, and authenticate with the usual suspects (security bundle + form authentication)
Possible Solution
Instead of adding the samesite attribute to the cookie in \Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage we could add a listener for kernel.response that would check if there are any session cookies without the samesite attribute and add it when needed.
This does mean we would need the framework.session.samesite_cookie value to that listener somehow, which might not be trivial.
Of course this listener should return early when running on PHP 7.3.
Additional context
None