diff --git a/docs/configuration.md b/docs/configuration.md
index 6f79a3646..02fe2f83b 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -63,7 +63,6 @@ is a good starting point to get an idea of what you should provide.
   - [cookies.long](#cookieslong)
   - [cookies.names](#cookiesnames)
   - [cookies.short](#cookiesshort)
-  - [cookies.thirdPartyCheckUrl](#cookiesthirdpartycheckurl)
   - [deviceFlowSuccess](#devicecodesuccess)
   - [discovery](#discovery)
   - [dynamicScopes](#dynamicscopes)
@@ -1095,9 +1094,12 @@ false
   <br>
 
 
-The User-Agent must allow access to the provider cookies from a third-party context when the OP frame is embedded. Oidc-provider checks if this is enabled using a [CDN hosted](https://rawgit.com/) [iframe][third-party-cookies-git]. It is recommended to host these helper pages on your own (on a different domain from the one you host oidc-provider on). Once hosted, set the `cookies.thirdPartyCheckUrl` to an absolute URL for the start page. See [this][third-party-cookies-so] for more info. Note: This is still just a best-effort solution and is in no way bulletproof. Currently there's no better way to check if access to third party cookies has been blocked or the cookies are just missing. (ITP2.0 Storage Access API is also not an option)  
-
+The User-Agent must allow access to the provider cookies from a third-party context when the OP frame is embedded. Oidc-provider checks if this is enabled using a [CDN hosted](https://rawgit.com/) [iframe][third-party-cookies-git]. It is recommended to host these helper pages on your own (on a different domain from the one you host oidc-provider on). Once hosted, set the `features.sessionManagement.thirdPartyCheckUrl` to an absolute URL for the start page. See [this][third-party-cookies-so] for more info. Note: This is still just a best-effort solution and is in no way bulletproof. Currently there's no better way to check if access to third party cookies has been blocked or the cookies are just missing. (ITP2.0 Storage Access API is also not an option) Configure `features.sessionManagement` as an object like so:
+  
 
+```js
+{ thirdPartyCheckUrl: 'https://your-location.example.com/start.html' },
+```
 </details>
 <details>
   <summary>(Click to expand) To disable removing frame-ancestors from Content-Security-Policy and X-Frame-Options</summary>
@@ -1260,17 +1262,6 @@ _**default value**_:
   maxAge: 600000 }
 ```
 
-### cookies.thirdPartyCheckUrl
-
-URL for 3rd party cookies support check helper  
-
-_**affects**_: sessionManagement feature  
-
-_**default value**_:
-```js
-'https://cdn.rawgit.com/panva/3rdpartycookiecheck/92fead3f/start.html'
-```
-
 ### deviceFlowSuccess
 
 HTML source rendered when device code feature renders a success page for the User-Agent.  
diff --git a/lib/actions/check_session.js b/lib/actions/check_session.js
index 6caa70576..fc30e2aa9 100644
--- a/lib/actions/check_session.js
+++ b/lib/actions/check_session.js
@@ -10,7 +10,7 @@ const buildParams = getParams(PARAM_LIST);
 
 module.exports = function checkSessionAction(provider) {
   const removeHeaders = !instance(provider).configuration('features.sessionManagement.keepHeaders');
-  const thirdPartyCheckUrl = instance(provider).configuration('cookies.thirdPartyCheckUrl');
+  const thirdPartyCheckUrl = instance(provider).configuration('features.sessionManagement.thirdPartyCheckUrl');
 
   return {
     get: async function checkSessionIframe(ctx, next) {
diff --git a/lib/helpers/configuration_schema.js b/lib/helpers/configuration_schema.js
index 01d90f315..6486b853c 100644
--- a/lib/helpers/configuration_schema.js
+++ b/lib/helpers/configuration_schema.js
@@ -4,6 +4,7 @@ const {
 
 const { JWA } = require('../consts');
 
+const attention = require('./attention');
 const defaults = require('./defaults');
 
 function authEndpointDefaults(config) {
@@ -77,6 +78,13 @@ module.exports = class ConfigurationSchema {
       }
     }
 
+    if (get(this, 'features.sessionManagement')) {
+      if (!this.features.sessionManagement.thirdPartyCheckUrl) {
+        attention.warn('configuration features.sessionManagement.thirdPartyCheckUrl is missing, it should be set when running in production');
+        set(this, 'features.sessionManagement.thirdPartyCheckUrl', 'https://cdn.rawgit.com/panva/3rdpartycookiecheck/92fead3f/start.html');
+      }
+    }
+
     this.ensureMaps();
     this.checkWhitelistedAlgs();
     this.collectScopes();
diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
index 81a00b05f..7c864c49d 100644
--- a/lib/helpers/defaults.js
+++ b/lib/helpers/defaults.js
@@ -123,15 +123,6 @@ const DEFAULTS = {
      *   and re-signed
      */
     keys: [],
-
-    /*
-     * cookies.thirdPartyCheckUrl
-     *
-     * description: URL for 3rd party cookies support check helper
-     * affects: sessionManagement feature
-     *
-     */
-    thirdPartyCheckUrl: 'https://cdn.rawgit.com/panva/3rdpartycookiecheck/92fead3f/start.html', // TODO: move under sessionManagement in next major
   },
 
 
@@ -457,12 +448,18 @@ const DEFAULTS = {
      *
      * oidc-provider checks if this is enabled using a [CDN hosted](https://rawgit.com/) [iframe][third-party-cookies-git].
      * It is recommended to host these helper pages on your own (on a different domain from the one
-     * you host oidc-provider on). Once hosted, set the `cookies.thirdPartyCheckUrl` to an absolute
+     * you host oidc-provider on). Once hosted, set the `features.sessionManagement.thirdPartyCheckUrl` to an absolute
      * URL for the start page. See [this][third-party-cookies-so] for more info.
      *
      * Note: This is still just a best-effort solution and is in no way bulletproof. Currently there's
      * no better way to check if access to third party cookies has been blocked or the cookies are just
-     * missing. (ITP2.0 Storage Access API is also not an option)
+     * missing. (Safari's ITP 2.0 Storage Access API also cannot be used)
+     *
+     * Configure `features.sessionManagement` as an object like so:
+     *
+     * ```js
+     * { thirdPartyCheckUrl: 'https://your-location.example.com/start.html' },
+     * ```
      *
      * example: To disable removing frame-ancestors from Content-Security-Policy and X-Frame-Options
      * Only do this if you know what you're doing either in a followup middleware or your app server,
diff --git a/lib/provider.js b/lib/provider.js
index 92522ad12..ee3a51747 100644
--- a/lib/provider.js
+++ b/lib/provider.js
@@ -102,11 +102,6 @@ class Provider extends events.EventEmitter {
       attention.warn('configuration cookies.keys is missing, this option is critical to detect and ignore tampered cookies');
     }
 
-    if (setup.features && setup.features.sessionManagement
-        && (!setup.cookies || !setup.cookies.thirdPartyCheckUrl)) {
-      attention.warn('configuration cookies.thirdPartyCheckUrl is missing, it should be set when running in production');
-    }
-
     instance(this).app = app;
 
     instance(this).defaultHttpOptions = {