In#19104 support was added for the SameSite attribute in cookies. However, a pretty big oversight is that this parameter is never passed to PHP'ssetcookie() in http-foundation/Response.php. You can't even if you'd want to, because PHP will only support SameSite in 7.3 seehttps://wiki.php.net/rfc/same-site-cookie

I'm not sure why SameSite was already added to Symfony if PHP doesn't support it yet, but this is quite misleading. I spent several hours debugging my Laravel app trying to figure out why SameSite wasn't sent, and eventually I found out that Symfony never passes it to PHP, because PHP doesn't accept the option yet.

Until PHP 7.3 is released and assuming the RFC I linked to is implemented, I suggest to remove the SameSite property from Symfony since right now it doesn't do anything and is plainly misleading.