- the optimize auth session cookie has the same site flag set to strict
- this is also the case for SSO
- in the documentation in the supported environments sections it is mentioned that only specific IE11 browser versions are supported
- the same site cookie flag can be disabled via configuration
Setting the sameSite=strict might be a low-hanging fruit for CSRF protection on browsers that support it https://caniuse.com/#feat=same-site-cookie-attribute (yes even IE11).