Merge pull request #7605 from umbraco/v17/feature/token-cookies

Added docs for auth tokens in cookies (V17)

Author: eshanrnh

17/umbraco-cms/reference/configuration/securitysettings.md

@@ -45,7 +45,10 @@ A full configuration with all default values can be seen here:
       "UserDefaultFailedLoginDurationInMilliseconds": 1000,
       "UserMinimumFailedLoginDurationInMilliseconds": 250,
       "PasswordResetEmailExpiry": "01:00:00",
-      "UserInviteEmailExpiry": "3.00:00:00"
+      "UserInviteEmailExpiry": "3.00:00:00",
+      "BackOfficeTokenCookie": {
+        "SameSite": "Strict"
+      }
     }
   }
 }
@@ -163,3 +166,13 @@ Options are:
 ## Member password settings
 
 This section allows you to define the password rules for members. This section is identical to the one for users.
+
+## Backoffice token cookie settings
+
+User authentication tokens are redacted from the server's authentication responses and put into secure cookies instead. This section lets you change the default settings for the generated token cookies.
+
+It is not recommended to change these settings, as it may result in lesser security for the backoffice users.
+
+### Same site
+
+Sets the `SameSite` configuration for the token cookies. Valid values are "Unspecified", "None", "Lax", and "Strict" (default).