From 2c999448c87b286744ac9802cb8e4277d5c38b71 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Wed, 29 Jan 2020 13:27:44 +0100
Subject: [PATCH 16/19] always add a SameSite value to the Set-Cookie header
- to satisfy upcoming Chrome/Firefox changes
this can be overridden by using, e.g.:
SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
- release 2.4.1rc6
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
(cherry picked from commit 3b4770f49cc67b9b0ae8732e9908895683ea556c)
---
ChangeLog | 5 +++++
src/mod_auth_openidc.c | 10 +++++++---
src/mod_auth_openidc.h | 1 +
src/session.c | 2 +-
4 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index fc7c5ae..b67f764 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+01/29/2020
+- always add a SameSite value to the Set-Cookie header to satisfy upcoming Chrome/Firefox changes
+ this can be overridden by using, e.g.:
+ SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
+
01/15/2020
- add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie headers
useful for handling changing/upcoming SameSite behaviors across different browsers, e.g.:
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 38558d2..0d2b37c 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -916,7 +916,9 @@ static int oidc_authorization_request_set_cookie(request_rec *r, oidc_cfg *c,
/* set it as a cookie */
oidc_util_set_cookie(r, cookieName, cookieValue, -1,
- c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX : NULL);
+ c->cookie_same_site ?
+ OIDC_COOKIE_EXT_SAME_SITE_LAX :
+ OIDC_COOKIE_EXT_SAME_SITE_NONE);
return HTTP_OK;
}
@@ -2183,7 +2185,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,
cfg->cookie_same_site ?
OIDC_COOKIE_EXT_SAME_SITE_STRICT :
- NULL);
+ OIDC_COOKIE_EXT_SAME_SITE_NONE);
/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
if (oidc_post_preserve_javascript(r, url, NULL, NULL) == TRUE)
@@ -2276,7 +2278,9 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
s = apr_psprintf(r->pool, "%s</form>\n", s);
oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,
- cfg->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_STRICT : NULL);
+ cfg->cookie_same_site ?
+ OIDC_COOKIE_EXT_SAME_SITE_STRICT :
+ OIDC_COOKIE_EXT_SAME_SITE_NONE);
char *javascript = NULL, *javascript_method = NULL;
char *html_head =
diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
index fada56d..5f1a79a 100644
--- a/src/mod_auth_openidc.h
+++ b/src/mod_auth_openidc.h
@@ -213,6 +213,7 @@ APLOG_USE_MODULE(auth_openidc);
#define OIDC_COOKIE_EXT_SAME_SITE_LAX "SameSite=Lax"
#define OIDC_COOKIE_EXT_SAME_SITE_STRICT "SameSite=Strict"
+#define OIDC_COOKIE_EXT_SAME_SITE_NONE "SameSite=None"
/* https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01 */
#define OIDC_TB_CFG_PROVIDED_ENV_VAR "Sec-Provided-Token-Binding-ID"
diff --git a/src/session.c b/src/session.c
index 1c6e118..cd9ccb8 100644
--- a/src/session.c
+++ b/src/session.c
@@ -204,7 +204,7 @@ static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z,
(first_time ?
OIDC_COOKIE_EXT_SAME_SITE_LAX :
OIDC_COOKIE_EXT_SAME_SITE_STRICT) :
- NULL);
+ OIDC_COOKIE_EXT_SAME_SITE_NONE);
} else {
/* clear the cookie */
--
2.26.2