From 13330fbb55a8f8dbe3d3881f2860190e8a3518c1 Mon Sep 17 00:00:00 2001
From: kjac <kja@umbraco.dk>
Date: Tue, 11 Nov 2025 08:51:23 +0100
Subject: [PATCH 1/4] Added docs for auth tokens in cookies (V16)

---
 .../configuration/securitysettings.md         | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/16/umbraco-cms/reference/configuration/securitysettings.md b/16/umbraco-cms/reference/configuration/securitysettings.md
index ba5bc774e31..10f20a3e092 100644
--- a/16/umbraco-cms/reference/configuration/securitysettings.md
+++ b/16/umbraco-cms/reference/configuration/securitysettings.md
@@ -44,6 +44,10 @@ A full configuration with all default values can be seen here:
       "AllowConcurrentLogins": false,
       "UserDefaultFailedLoginDurationInMilliseconds": 1000,
       "UserMinimumFailedLoginDurationInMilliseconds": 250,
+      "BackOfficeTokenCookie": {
+        "Enabled": false,
+        "SameSite": "Strict"
+      }
     }
   }
 }
@@ -153,3 +157,22 @@ Options are:
 ## Member password settings
 
 This section allows you to define the password rules for members. This section is identical to the one for users.
+
+## Backoffice token cookie settings
+
+As an added security feature, user authentication tokens can be returned in secure cookies from the server authentication requests. This section lets you change the default settings for the generated token cookies.
+
+For backwards compatibility reasons, the feature is disabled by default.
+
+We recommend you:
+
+1. Enable this feature (see below).
+2. Retain the default values for the rest of the configuration.
+
+### Enabled
+
+When set to `true`, user authentication tokens are redacted from the server authentication responses and put into secure cookies instead.
+
+### Same site
+
+Sets the `SameSite` configuration for the token cookies. Valid values are "Unspecified", "None", "Lax" and "Strict" (default).

From eb7071b9924e447b24be685244c32ea4cf4f4aa0 Mon Sep 17 00:00:00 2001
From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com>
Date: Tue, 11 Nov 2025 10:20:21 +0100
Subject: [PATCH 2/4] Update
 16/umbraco-cms/reference/configuration/securitysettings.md

---
 16/umbraco-cms/reference/configuration/securitysettings.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/16/umbraco-cms/reference/configuration/securitysettings.md b/16/umbraco-cms/reference/configuration/securitysettings.md
index 10f20a3e092..52c2c77f610 100644
--- a/16/umbraco-cms/reference/configuration/securitysettings.md
+++ b/16/umbraco-cms/reference/configuration/securitysettings.md
@@ -160,7 +160,7 @@ This section allows you to define the password rules for members. This section i
 
 ## Backoffice token cookie settings
 
-As an added security feature, user authentication tokens can be returned in secure cookies from the server authentication requests. This section lets you change the default settings for the generated token cookies.
+As an added security feature, user authentication tokens can be returned in secure cookies from the server's authentication requests. This section lets you change the default settings for the generated token cookies.
 
 For backwards compatibility reasons, the feature is disabled by default.
 

From 65d0f429bb6b769bfd704fa5b35c377a795a7764 Mon Sep 17 00:00:00 2001
From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com>
Date: Tue, 11 Nov 2025 10:20:27 +0100
Subject: [PATCH 3/4] Update
 16/umbraco-cms/reference/configuration/securitysettings.md

---
 16/umbraco-cms/reference/configuration/securitysettings.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/16/umbraco-cms/reference/configuration/securitysettings.md b/16/umbraco-cms/reference/configuration/securitysettings.md
index 52c2c77f610..8286c7a3700 100644
--- a/16/umbraco-cms/reference/configuration/securitysettings.md
+++ b/16/umbraco-cms/reference/configuration/securitysettings.md
@@ -164,7 +164,7 @@ As an added security feature, user authentication tokens can be returned in secu
 
 For backwards compatibility reasons, the feature is disabled by default.
 
-We recommend you:
+Recommendations:
 
 1. Enable this feature (see below).
 2. Retain the default values for the rest of the configuration.

From 8b45ecf4f3d94f7fbf1afd2b4a12fa940070cd24 Mon Sep 17 00:00:00 2001
From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com>
Date: Tue, 11 Nov 2025 10:20:34 +0100
Subject: [PATCH 4/4] Update
 16/umbraco-cms/reference/configuration/securitysettings.md

---
 16/umbraco-cms/reference/configuration/securitysettings.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/16/umbraco-cms/reference/configuration/securitysettings.md b/16/umbraco-cms/reference/configuration/securitysettings.md
index 8286c7a3700..06d1b6d0b4c 100644
--- a/16/umbraco-cms/reference/configuration/securitysettings.md
+++ b/16/umbraco-cms/reference/configuration/securitysettings.md
@@ -175,4 +175,4 @@ When set to `true`, user authentication tokens are redacted from the server auth
 
 ### Same site
 
-Sets the `SameSite` configuration for the token cookies. Valid values are "Unspecified", "None", "Lax" and "Strict" (default).
+Sets the `SameSite` configuration for the token cookies. Valid values are "Unspecified", "None", "Lax", and "Strict" (default).