|
 |
d807e8 |
From 7ef4ae72a8578475064eb66e3ed5703ccf6ee078 Mon Sep 17 00:00:00 2001
|
|
|
d807e8 |
From: Ruediger Pluem <r.pluem@gmx.de>
|
|
|
d807e8 |
Date: Thu, 30 Apr 2020 07:56:01 +0200
|
|
|
d807e8 |
Subject: [PATCH] Set SameSite to None on test cookie
|
|
|
d807e8 |
|
|
|
d807e8 |
If the SameSite cookie attribute is to be set because
|
|
|
d807e8 |
MellonCookieSameSite is configured and MELLON_DISABLE_SAMESITE not set
|
|
|
d807e8 |
for this particular request set it to None for the test cookie.
|
|
|
d807e8 |
This ensures that the test cookie with the static test content does not
|
|
|
d807e8 |
get lost in the HTTP-POST binding request issued by the autosubmit form
|
|
|
d807e8 |
returned by the IDP.
|
|
|
d807e8 |
Addresses #20
|
|
|
d807e8 |
|
|
|
d807e8 |
* auth_mellon.h: Add AM_FORCE_SAMESITE_NONE_NOTE
|
|
|
d807e8 |
|
|
|
d807e8 |
* auth_mellon_handler.c (am_send_login_authn_request): Set request note
|
|
|
d807e8 |
to set SameSite to None if appropriate.
|
|
|
d807e8 |
|
|
|
d807e8 |
* auth_mellon_cookie.c (am_cookie_params): Set SameSite to None if
|
|
|
d807e8 |
requested via request note.
|
|
|
d807e8 |
---
|
|
|
d807e8 |
auth_mellon.h | 3 +++
|
|
|
d807e8 |
auth_mellon_cookie.c | 6 +++++-
|
|
|
d807e8 |
auth_mellon_handler.c | 5 +++++
|
|
|
d807e8 |
3 files changed, 13 insertions(+), 1 deletion(-)
|
|
|
d807e8 |
|
|
|
d807e8 |
diff --git a/auth_mellon.h b/auth_mellon.h
|
|
|
d807e8 |
index fd39b28..401ed9c 100644
|
|
|
d807e8 |
--- a/auth_mellon.h
|
|
|
d807e8 |
+++ b/auth_mellon.h
|
|
|
d807e8 |
@@ -100,6 +100,9 @@ typedef enum {
|
|
|
d807e8 |
/* Disable SameSite Environment Value */
|
|
|
d807e8 |
#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
|
|
|
d807e8 |
|
|
|
d807e8 |
+/* Force setting SameSite to None */
|
|
|
d807e8 |
+#define AM_FORCE_SAMESITE_NONE_NOTE "MELLON_FORCE_SAMESITE_NONE"
|
|
|
d807e8 |
+
|
|
|
d807e8 |
|
|
|
d807e8 |
/* This is the length of the id we use (for session IDs and
|
|
|
d807e8 |
* replaying POST data).
|
|
|
d807e8 |
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
|
|
|
d807e8 |
index 55f77a5..6bff81e 100644
|
|
|
d807e8 |
--- a/auth_mellon_cookie.c
|
|
|
d807e8 |
+++ b/auth_mellon_cookie.c
|
|
|
d807e8 |
@@ -78,7 +78,11 @@ static const char *am_cookie_params(request_rec *r)
|
|
|
d807e8 |
}
|
|
|
d807e8 |
|
|
|
d807e8 |
if (env_var_value == NULL){
|
|
|
d807e8 |
- if (cfg->cookie_samesite == am_samesite_lax) {
|
|
|
d807e8 |
+ if ((cfg->cookie_samesite != am_samesite_default) &&
|
|
|
d807e8 |
+ (apr_table_get(r->notes, AM_FORCE_SAMESITE_NONE_NOTE) != NULL)) {
|
|
|
d807e8 |
+ cookie_samesite = "; SameSite=None";
|
|
|
d807e8 |
+ }
|
|
|
d807e8 |
+ else if (cfg->cookie_samesite == am_samesite_lax) {
|
|
|
d807e8 |
cookie_samesite = "; SameSite=Lax";
|
|
|
d807e8 |
} else if (cfg->cookie_samesite == am_samesite_strict) {
|
|
|
d807e8 |
cookie_samesite = "; SameSite=Strict";
|
|
|
d807e8 |
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
|
|
|
d807e8 |
index 395ee1d..40c9bcd 100644
|
|
|
d807e8 |
--- a/auth_mellon_handler.c
|
|
|
d807e8 |
+++ b/auth_mellon_handler.c
|
|
|
d807e8 |
@@ -3261,8 +3261,13 @@ static int am_send_login_authn_request(request_rec *r, const char *idp,
|
|
|
d807e8 |
/* Add cookie for cookie test. We know that we should have
|
|
|
d807e8 |
* a valid cookie when we return from the IdP after SP-initiated
|
|
|
d807e8 |
* login.
|
|
|
d807e8 |
+ * Ensure that SameSite is set to None for this cookie if SameSite
|
|
|
d807e8 |
+ * is allowed to be set as the cookie otherwise gets lost on
|
|
|
d807e8 |
+ * HTTP-POST binding messages.
|
|
|
d807e8 |
*/
|
|
|
d807e8 |
+ apr_table_setn(r->notes, AM_FORCE_SAMESITE_NONE_NOTE, "1");
|
|
|
d807e8 |
am_cookie_set(r, "cookietest");
|
|
|
d807e8 |
+ apr_table_unset(r->notes, AM_FORCE_SAMESITE_NONE_NOTE);
|
|
|
d807e8 |
|
|
|
d807e8 |
server = am_get_lasso_server(r);
|
|
|
d807e8 |
if(server == NULL) {
|
|
|
d807e8 |
--
|
|
|
d807e8 |
2.26.2
|
|
|
d807e8 |
|