Session is clearing when hitting the ACS route

[ajsheldon93]

I have an application using this plugin. Before the user logs in, the app saves a piece of data in a session. I think have them follow a link generated by the saml_route() helper function. The user is redirected to the SSO, they signin, and are directed back to the ACS route. By the time the code get to the acs() method in the src/Http/Controllers/Saml2Controller.php controller, the existing session is cleared and a new one has started.

I traced back through the middleware and the previous session data exists as the request passes through the ResolveTenant middleware and the ones described in the readme.md file:

\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,

I have followed through the stacktrace but cannot figure out what is deleting my existing session and starting a new one.

Any ideas what is causing this?

[ajsheldon93]

Reading through some other things, if I set the session config 'same_site' => null, it works, but I don't like keeping it like that. Is there a way to fix this without making the session less secure and vulnerable?

[joelpittet]

This may help someone but I was missing EncryptCookies in Laravel 11 because I removed it during an upgrade from L10 and experienced similar symptoms, changing lax didn't fix the problem.
Ensuring I had that middleware in my bootstrap/app.php

use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
use Illuminate\Cookie\Middleware\EncryptCookies;
use Illuminate\Session\Middleware\StartSession;
use Illuminate\View\Middleware\ShareErrorsFromSession;

...
    ->withMiddleware(function (Middleware $middleware) {
        $middleware->prependToGroup('saml', [
            EncryptCookies::class,
            AddQueuedCookiesToResponse::class,
            StartSession::class,
            ShareErrorsFromSession::class,
        ]);