:same_site - set the cookie SameSite attribute to a string value. If no string value is set, the attribute is omitted.
The possible values for the SameSite cookie attributes are an HTTP standard, and not related to Phoenix or Plug. You can find some documentation here about the meaning of the three possible values: Lax, Strict, and None.
Setting :extra as advised by @ukutaht is also working, but as there is a specific :same_site option I would advise using that (it’s available from v1.10.1 apparently):
SameSite is wonderful. You might want to consider whether Lax or Strict is a better choice for your site, though. Strict means, among other things, that if somebody follows a link to your site, their browser won’t send the cookie with that request.