Hello I would like to set the cookie sameSite value to "none" for secure connections and to "lax" for http connections (As none requires a secure connection).

The secure option supports "auto" which will check on request, if the connection is secure and set secure to true and to false otherwise. I would like a similar option for sameSite as it would really help in my situation where I cannot determine up front if the site is served http-only, but if it IS accessed on https I really need sameSite to be set to "none" to support some SAML authentication scenarios.

The fix is rather simple. In index.js I just put in:

  store.generate = function(req){
    req.sessionID = generateId(req);
    req.session = new Session(req);
    req.session.cookie = new Cookie(cookieOptions);

    if (cookieOptions.secure === 'auto') {
      req.session.cookie.secure = issecure(req, trustProxy);
      // support for sameSite 'auto':
      if (cookieOptions.sameSite === 'auto') {
        req.session.cookie.sameSite = req.session.cookie.secure ? 'none' : 'lax';
      }
    }
  };

I am just wondering if a pull request is appreciated?