Chrome prohibits the refresh_token cookie from being set from cross-origin requests because it is missing the samesite attribute.
Things to consider:
This syntax requires a minimum PHP version of 7.3. Do we need a version check or workaround here to support a lower version?
The default for samesite would be Lax maybe this could even be set to Strict as the refresh_token is probably only used on subsequent requests in a first-party context when not cross-origin.
Chrome prohibits the refresh_token cookie from being set from cross-origin requests because it is missing the samesite attribute.
Things to consider:
Lax
maybe this could even be set toStrict
as the refresh_token is probably only used on subsequent requests in a first-party context when not cross-origin.