Full SameSite cookie support

readme.md

@@ -42,7 +42,8 @@ $app->add(
 - `lifetime`: How much should the session last? Default `20 minutes`. Any
   argument that `strtotime` can parse is valid.
 - `path`, `domain`, `secure`, `httponly`, `samesite`: Options for the session
-  cookie. Please note that `samesite` is disabled by default.
+  cookie. Please note that `samesite` is `'Lax'` by default, set to `''` to
+  disable.
 - `name`: Name for the session cookie. Defaults to `slim_session` (instead of
   PHP's `PHPSESSID`).
 - **`autorefresh`**: `true` if you want session to be refresh when user activity

src/Slim/Middleware/Session.php

@@ -43,7 +43,7 @@ public function __construct($settings = [])
             'domain' => '',
             'secure' => false,
             'httponly' => false,
-            'samesite' => '',
+            'samesite' => 'Lax',
             'name' => 'slim_session',
             'autorefresh' => false,
             'handler' => null,