Blob Blame History Raw
From 2c999448c87b286744ac9802cb8e4277d5c38b71 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Wed, 29 Jan 2020 13:27:44 +0100
Subject: [PATCH 16/19] always add a SameSite value to the Set-Cookie header

- to satisfy upcoming Chrome/Firefox changes
  this can be overridden by using, e.g.:
    SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
- release 2.4.1rc6

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
(cherry picked from commit 3b4770f49cc67b9b0ae8732e9908895683ea556c)
---
 ChangeLog              |  5 +++++
 src/mod_auth_openidc.c | 10 +++++++---
 src/mod_auth_openidc.h |  1 +
 src/session.c          |  2 +-
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index fc7c5ae..b67f764 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+01/29/2020
+- always add a SameSite value to the Set-Cookie header to satisfy upcoming Chrome/Firefox changes
+  this can be overridden by using, e.g.:
+    SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
+
 01/15/2020
 - add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie headers
   useful for handling changing/upcoming SameSite behaviors across different browsers, e.g.:
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 38558d2..0d2b37c 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -916,7 +916,9 @@ static int oidc_authorization_request_set_cookie(request_rec *r, oidc_cfg *c,
 
 	/* set it as a cookie */
 	oidc_util_set_cookie(r, cookieName, cookieValue, -1,
-			c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX : NULL);
+			c->cookie_same_site ?
+					OIDC_COOKIE_EXT_SAME_SITE_LAX :
+					OIDC_COOKIE_EXT_SAME_SITE_NONE);
 
 	return HTTP_OK;
 }
@@ -2183,7 +2185,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
 		oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,
 				cfg->cookie_same_site ?
 						OIDC_COOKIE_EXT_SAME_SITE_STRICT :
-						NULL);
+						OIDC_COOKIE_EXT_SAME_SITE_NONE);
 
 		/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
 		if (oidc_post_preserve_javascript(r, url, NULL, NULL) == TRUE)
@@ -2276,7 +2278,9 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
 	s = apr_psprintf(r->pool, "%s</form>\n", s);
 
 	oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,
-			cfg->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_STRICT : NULL);
+			cfg->cookie_same_site ?
+					OIDC_COOKIE_EXT_SAME_SITE_STRICT :
+					OIDC_COOKIE_EXT_SAME_SITE_NONE);
 
 	char *javascript = NULL, *javascript_method = NULL;
 	char *html_head =
diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
index fada56d..5f1a79a 100644
--- a/src/mod_auth_openidc.h
+++ b/src/mod_auth_openidc.h
@@ -213,6 +213,7 @@ APLOG_USE_MODULE(auth_openidc);
 
 #define OIDC_COOKIE_EXT_SAME_SITE_LAX    "SameSite=Lax"
 #define OIDC_COOKIE_EXT_SAME_SITE_STRICT "SameSite=Strict"
+#define OIDC_COOKIE_EXT_SAME_SITE_NONE   "SameSite=None"
 
 /* https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01 */
 #define OIDC_TB_CFG_PROVIDED_ENV_VAR     "Sec-Provided-Token-Binding-ID"
diff --git a/src/session.c b/src/session.c
index 1c6e118..cd9ccb8 100644
--- a/src/session.c
+++ b/src/session.c
@@ -204,7 +204,7 @@ static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z,
 									(first_time ?
 											OIDC_COOKIE_EXT_SAME_SITE_LAX :
 											OIDC_COOKIE_EXT_SAME_SITE_STRICT) :
-											NULL);
+											OIDC_COOKIE_EXT_SAME_SITE_NONE);
 
 	} else {
 		/* clear the cookie */
-- 
2.26.2