diff --git a/administrator/components/com_banners/src/Controller/TracksController.php b/administrator/components/com_banners/src/Controller/TracksController.php
index aed63de7faf49..9372cb4b3e2f8 100644
--- a/administrator/components/com_banners/src/Controller/TracksController.php
+++ b/administrator/components/com_banners/src/Controller/TracksController.php
@@ -138,21 +138,27 @@ public function display($cachable = false, $urlparams = array())
 			$this->input->cookie->set(
 				ApplicationHelper::getHash($this->context . '.basename'),
 				$form['basename'],
-				$cookieLifeTime,
-				$cookiePath,
-				$cookieDomain,
-				$isHttpsForced,
-				true
+				[
+					'expires'  => $cookieLifeTime,
+					'path'     => $cookiePath,
+					'domain'   => $cookieDomain,
+					'secure'   => $isHttpsForced,
+					'httponly' => true,
+					'samesite' => 'lax'
+				]
 			);
 
 			$this->input->cookie->set(
 				ApplicationHelper::getHash($this->context . '.compressed'),
 				$form['compressed'],
-				$cookieLifeTime,
-				$cookiePath,
-				$cookieDomain,
-				$isHttpsForced,
-				true
+				[
+					'expires'  => $cookieLifeTime,
+					'path'     => $cookiePath,
+					'domain'   => $cookieDomain,
+					'secure'   => $isHttpsForced,
+					'httponly' => true,
+					'samesite' => 'lax'
+				]
 			);
 
 			// Push the model into the view (as default).
diff --git a/administrator/components/com_config/forms/application.xml b/administrator/components/com_config/forms/application.xml
index 8b944295fac2b..dfb19aaa63c33 100644
--- a/administrator/components/com_config/forms/application.xml
+++ b/administrator/components/com_config/forms/application.xml
@@ -1204,6 +1204,18 @@
 			size="40"
 		/>
 
+		<field
+			name="cookie_samesite"
+			type="list"
+			label="COM_CONFIG_FIELD_COOKIE_SAMESITE_LABEL"
+			validate="options"
+			default="strict"
+			>
+			<option value="strict">COM_CONFIG_FIELD_COOKIE_SAMESITE_OPTION_STRICT_LABEL</option>
+			<option value="lax">COM_CONFIG_FIELD_COOKIE_SAMESITE_OPTION_LAX_LABEL</option>
+			<option value="none">COM_CONFIG_FIELD_COOKIE_SAMESITE_OPTION_NONE_LABEL</option>
+		</field>
+
 	</fieldset>
 
 	<fieldset
diff --git a/administrator/language/en-GB/com_config.ini b/administrator/language/en-GB/com_config.ini
index 787f8d3d1e864..48487660c702b 100644
--- a/administrator/language/en-GB/com_config.ini
+++ b/administrator/language/en-GB/com_config.ini
@@ -41,6 +41,10 @@ COM_CONFIG_FIELD_CACHE_TIME_LABEL="Cache Time (minutes)"
 COM_CONFIG_FIELD_COOKIE_DOMAIN_DESC="Precede domain with '.' if cookie should be valid for all subdomains."
 COM_CONFIG_FIELD_COOKIE_DOMAIN_LABEL="Cookie Domain"
 COM_CONFIG_FIELD_COOKIE_PATH_LABEL="Cookie Path"
+COM_CONFIG_FIELD_COOKIE_SAMESITE_LABEL="Cookie SameSite"
+COM_CONFIG_FIELD_COOKIE_SAMESITE_OPTION_LAX_LABEL="Lax"
+COM_CONFIG_FIELD_COOKIE_SAMESITE_OPTION_NONE_LABEL="None"
+COM_CONFIG_FIELD_COOKIE_SAMESITE_OPTION_STRICT_LABEL="Strict"
 COM_CONFIG_FIELD_DATABASE_ENCRYPTION_CA_LABEL="Path to CA File"
 COM_CONFIG_FIELD_DATABASE_ENCRYPTION_CERT_LABEL="Path to Certificate File"
 COM_CONFIG_FIELD_DATABASE_ENCRYPTION_CIPHER_LABEL="Supported Cipher Suite (optional)"
diff --git a/libraries/src/Session/Storage/JoomlaStorage.php b/libraries/src/Session/Storage/JoomlaStorage.php
index e74b7343ef653..32a0cca99aa20 100644
--- a/libraries/src/Session/Storage/JoomlaStorage.php
+++ b/libraries/src/Session/Storage/JoomlaStorage.php
@@ -298,7 +298,10 @@ public function start(): void
 			if ($session_clean)
 			{
 				$this->setId($session_clean);
-				$cookie->set($session_name, '', time() - 3600);
+				$cookie->set($session_name, '', [
+						'expires'  => time() - 3600,
+					]
+				);
 			}
 		}
 
diff --git a/plugins/authentication/cookie/cookie.php b/plugins/authentication/cookie/cookie.php
index 02a6cb79986b9..8ad95dc8b11c7 100644
--- a/plugins/authentication/cookie/cookie.php
+++ b/plugins/authentication/cookie/cookie.php
@@ -101,7 +101,12 @@ public function onUserAuthenticate($credentials, $options, &$response)
 		if (count($cookieArray) !== 2)
 		{
 			// Destroy the cookie in the browser.
-			$this->app->input->cookie->set($cookieName, '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+			$this->app->input->cookie->set($cookieName, '', [
+					'expires'  => 1,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+				]
+			);
 			Log::add('Invalid cookie detected.', Log::WARNING, 'error');
 
 			return false;
@@ -153,7 +158,12 @@ public function onUserAuthenticate($credentials, $options, &$response)
 		if (count($results) !== 1)
 		{
 			// Destroy the cookie in the browser.
-			$this->app->input->cookie->set($cookieName, '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+			$this->app->input->cookie->set($cookieName, '', [
+					'expires'  => 1,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+				]
+			);
 			$response->status = Authentication::STATUS_FAILURE;
 
 			return false;
@@ -187,7 +197,12 @@ public function onUserAuthenticate($credentials, $options, &$response)
 			}
 
 			// Destroy the cookie in the browser.
-			$this->app->input->cookie->set($cookieName, '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+			$this->app->input->cookie->set($cookieName, '', [
+					'expires'  => 1,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+				]
+			);
 
 			// Issue warning by email to user and/or admin?
 			Log::add(Text::sprintf('PLG_AUTHENTICATION_COOKIE_ERROR_LOG_LOGIN_FAILED', $results[0]->user_id), Log::WARNING, 'security');
@@ -272,7 +287,12 @@ public function onUserAfterLogin($options)
 				$cookieValue   = $this->app->input->cookie->get($oldCookieName);
 
 				// Destroy the old cookie in the browser
-				$this->app->input->cookie->set($oldCookieName, '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+				$this->app->input->cookie->set($oldCookieName, '', [
+						'expires'  => 1,
+						'path'     => $this->app->get('cookie_path', '/'),
+						'domain'   => $this->app->get('cookie_domain', ''),
+					]
+				);
 			}
 
 			$cookieArray = explode('.', $cookieValue);
@@ -329,6 +349,7 @@ public function onUserAfterLogin($options)
 
 		// Get the parameter values
 		$lifetime = $this->params->get('cookie_lifetime', 60) * 24 * 60 * 60;
+		$samesite = $this->params->get('cookie_samesite', 'strict');
 		$length   = $this->params->get('key_length', 16);
 
 		// Generate new cookie
@@ -336,14 +357,14 @@ public function onUserAfterLogin($options)
 		$cookieValue = $token . '.' . $series;
 
 		// Overwrite existing cookie with new value
-		$this->app->input->cookie->set(
-			$cookieName,
-			$cookieValue,
-			time() + $lifetime,
-			$this->app->get('cookie_path', '/'),
-			$this->app->get('cookie_domain', ''),
-			$this->app->isHttpsForced(),
-			true
+		$this->app->input->cookie->set($cookieName, $cookieValue, [
+				'expires'  => time() + $lifetime,
+				'path'     => $this->app->get('cookie_path', '/'),
+				'domain'   => $this->app->get('cookie_domain', ''),
+				'secure'   => $this->app->isHttpsForced(),
+				'httponly' => true,
+				'samesite' => $samesite
+			]
 		);
 
 		$query = $this->db->getQuery(true);
@@ -442,7 +463,12 @@ public function onUserAfterLogout($options)
 		}
 
 		// Destroy the cookie
-		$this->app->input->cookie->set($cookieName, '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+		$this->app->input->cookie->set($cookieName, '', [
+				'expires'  => 1,
+				'path'     => $this->app->get('cookie_path', '/'),
+				'domain'   => $this->app->get('cookie_domain', ''),
+			]
+		);
 
 		return true;
 	}
diff --git a/plugins/system/languagefilter/languagefilter.php b/plugins/system/languagefilter/languagefilter.php
index 16c241d389fc8..0d3826b0cd277 100644
--- a/plugins/system/languagefilter/languagefilter.php
+++ b/plugins/system/languagefilter/languagefilter.php
@@ -892,11 +892,14 @@ private function setLanguageCookie($languageCode)
 			$this->app->input->cookie->set(
 				ApplicationHelper::getHash('language'),
 				$languageCode,
-				time() + 365 * 86400,
-				$this->app->get('cookie_path', '/'),
-				$this->app->get('cookie_domain', ''),
-				$this->app->isHttpsForced(),
-				true
+				[
+					'expires'  => time() + 365 * 86400,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+					'secure'   => $this->app->isHttpsForced(),
+					'httponly' => true,
+					'samesite' => 'lax'
+				]
 			);
 		}
 		// If not, set the user language in the session (that is already saved in a cookie).
diff --git a/plugins/system/logout/logout.php b/plugins/system/logout/logout.php
index 65d591c2e38ed..3b0c6e51148b0 100644
--- a/plugins/system/logout/logout.php
+++ b/plugins/system/logout/logout.php
@@ -58,7 +58,12 @@ public function __construct(&$subject, $config)
 		if ($this->app->input->cookie->getString($hash))
 		{
 			// Destroy the cookie.
-			$this->app->input->cookie->set($hash, '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+			$this->app->input->cookie->set($hash, '', [
+					'expires'  => 1,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+				]
+			);
 		}
 	}
 
@@ -77,14 +82,14 @@ public function onUserLogout($user, $options = array())
 		if ($this->app->isClient('site'))
 		{
 			// Create the cookie.
-			$this->app->input->cookie->set(
-				ApplicationHelper::getHash('PlgSystemLogout'),
-				true,
-				time() + 86400,
-				$this->app->get('cookie_path', '/'),
-				$this->app->get('cookie_domain', ''),
-				$this->app->isHttpsForced(),
-				true
+			$this->app->input->cookie->set(ApplicationHelper::getHash('PlgSystemLogout'), true, [
+					'expires'  => time() + 86400,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+					'secure'   => $this->app->isHttpsForced(),
+					'httponly' => true,
+					'samesite' => 'lax'
+				]
 			);
 		}
 
diff --git a/plugins/user/joomla/joomla.php b/plugins/user/joomla/joomla.php
index 7c6a848916e88..f9bcefc91a7cc 100644
--- a/plugins/user/joomla/joomla.php
+++ b/plugins/user/joomla/joomla.php
@@ -336,14 +336,15 @@ public function onUserLogin($user, $options = [])
 		// Add "user state" cookie used for reverse caching proxies like Varnish, Nginx etc.
 		if ($this->app->isClient('site'))
 		{
-			$this->app->input->cookie->set(
-				'joomla_user_state',
-				'logged_in',
-				0,
-				$this->app->get('cookie_path', '/'),
-				$this->app->get('cookie_domain', ''),
-				$this->app->isHttpsForced(),
-				true
+			$this->app->input->cookie->set('joomla_user_state', 'logged_in',
+				[
+					'expires'  => 0,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+					'secure'   => $this->app->isHttpsForced(),
+					'httponly' => true,
+					'samesite' => $this->app->get('cookie_samesite', 'strict'),
+				]
 			);
 		}
 
@@ -410,7 +411,13 @@ public function onUserLogout($user, $options = [])
 		// Delete "user state" cookie used for reverse caching proxies like Varnish, Nginx etc.
 		if ($this->app->isClient('site'))
 		{
-			$this->app->input->cookie->set('joomla_user_state', '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+			$this->app->input->cookie->set('joomla_user_state', '',
+				[
+					'expires'  => 1,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+				]
+			);
 		}
 
 		return true;