From 2c999448c87b286744ac9802cb8e4277d5c38b71 Mon Sep 17 00:00:00 2001

From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>

Date: Wed, 29 Jan 2020 13:27:44 +0100

Subject: [PATCH 16/19] always add a SameSite value to the Set-Cookie header

- to satisfy upcoming Chrome/Firefox changes

  this can be overridden by using, e.g.:

    SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;

- release 2.4.1rc6

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>

(cherry picked from commit 3b4770f49cc67b9b0ae8732e9908895683ea556c)

---

 ChangeLog              |  5 +++++

 src/mod_auth_openidc.c | 10 +++++++---

 src/mod_auth_openidc.h |  1 +

 src/session.c          |  2 +-

 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog

index fc7c5ae..b67f764 100644

--- a/ChangeLog

+++ b/ChangeLog

@@ -1,3 +1,8 @@

+01/29/2020

+- always add a SameSite value to the Set-Cookie header to satisfy upcoming Chrome/Firefox changes

+  this can be overridden by using, e.g.:

+    SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;

+

 01/15/2020

 - add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie headers

   useful for handling changing/upcoming SameSite behaviors across different browsers, e.g.:

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c

index 38558d2..0d2b37c 100644

--- a/src/mod_auth_openidc.c

+++ b/src/mod_auth_openidc.c

@@ -916,7 +916,9 @@ static int oidc_authorization_request_set_cookie(request_rec *r, oidc_cfg *c,

 	/* set it as a cookie */

 	oidc_util_set_cookie(r, cookieName, cookieValue, -1,

-			c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX : NULL);

+			c->cookie_same_site ?

+					OIDC_COOKIE_EXT_SAME_SITE_LAX :

+					OIDC_COOKIE_EXT_SAME_SITE_NONE);

 	return HTTP_OK;

 }

@@ -2183,7 +2185,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {

 		oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,

 				cfg->cookie_same_site ?

 						OIDC_COOKIE_EXT_SAME_SITE_STRICT :

-						NULL);

+						OIDC_COOKIE_EXT_SAME_SITE_NONE);

 		/* see if we need to preserve POST parameters through Javascript/HTML5 storage */

 		if (oidc_post_preserve_javascript(r, url, NULL, NULL) == TRUE)

@@ -2276,7 +2278,9 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {

 	s = apr_psprintf(r->pool, "%s</form>\n", s);

 	oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,

-			cfg->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_STRICT : NULL);

+			cfg->cookie_same_site ?

+					OIDC_COOKIE_EXT_SAME_SITE_STRICT :

+					OIDC_COOKIE_EXT_SAME_SITE_NONE);

 	char *javascript = NULL, *javascript_method = NULL;

 	char *html_head =

diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h

index fada56d..5f1a79a 100644

--- a/src/mod_auth_openidc.h

+++ b/src/mod_auth_openidc.h

@@ -213,6 +213,7 @@ APLOG_USE_MODULE(auth_openidc);

 #define OIDC_COOKIE_EXT_SAME_SITE_LAX    "SameSite=Lax"

 #define OIDC_COOKIE_EXT_SAME_SITE_STRICT "SameSite=Strict"

+#define OIDC_COOKIE_EXT_SAME_SITE_NONE   "SameSite=None"

 /* https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01 */

 #define OIDC_TB_CFG_PROVIDED_ENV_VAR     "Sec-Provided-Token-Binding-ID"

diff --git a/src/session.c b/src/session.c

index 1c6e118..cd9ccb8 100644

--- a/src/session.c

+++ b/src/session.c

@@ -204,7 +204,7 @@ static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z,

 									(first_time ?

 											OIDC_COOKIE_EXT_SAME_SITE_LAX :

 											OIDC_COOKIE_EXT_SAME_SITE_STRICT) :

-											NULL);

+											OIDC_COOKIE_EXT_SAME_SITE_NONE);

 	} else {

 		/* clear the cookie */

-- 

2.26.2