From 67ef1419a0a2ff2528eb789d610fe380b870767e Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Wed, 29 Jan 2020 13:27:44 +0100
Subject: [PATCH 10/11] always add a SameSite=Never value to the Set-Cookie
 header

- to satisfy upcoming Chrome/Firefox changes
  this can be overridden by using, e.g.:
    SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
(cherry picked from commit 3b4770f49cc67b9b0ae8732e9908895683ea556c)
---
 ChangeLog              | 10 ++++++++++
 src/mod_auth_openidc.c |  6 +++---
 src/mod_auth_openidc.h |  2 ++
 src/session.c          |  2 +-
 4 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b3ed8f3..a7169e4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+01/29/2020
+- always add a SameSite value to the Set-Cookie header to satisfy upcoming Chrome/Firefox changes
+  this can be overridden by using, e.g.:
+    SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
+- release 2.4.1rc6
+
+01/22/2020
+- URL encode logout url in session management JS; thanks Paolo Battino
+- bump to 2.4.1rc5
+
 01/15/2020
 - add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie headers
   useful for handling changing/upcoming SameSite behaviors across different browsers, e.g.:
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 6c86271..a4429a6 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -576,7 +576,7 @@ static apr_byte_t oidc_authorization_request_set_cookie(request_rec *r,
 	const char *cookieName = oidc_get_state_cookie_name(r, state);
 
 	/* set it as a cookie */
-	oidc_util_set_cookie(r, cookieName, cookieValue, -1, NULL);
+	oidc_util_set_cookie(r, cookieName, cookieValue, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE);
 
 	free(s_value);
 
@@ -1644,7 +1644,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
 		oidc_debug(r, "redirecting to external discovery page: %s", url);
 
 		/* set CSRF cookie */
-		oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, NULL);
+		oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE);
 
 		/* do the actual redirect to an external discovery page */
 		apr_table_add(r->headers_out, "Location", url);
@@ -1705,7 +1705,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
 			"%s<p><input type=\"submit\" value=\"Submit\"></p>\n", s);
 	s = apr_psprintf(r->pool, "%s</form>\n", s);
 
-	oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, NULL);
+	oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE);
 
 	/* now send the HTML contents to the user agent */
 	return oidc_util_html_send(r, "OpenID Connect Provider Discovery",
diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
index d6c5050..cbace6a 100644
--- a/src/mod_auth_openidc.h
+++ b/src/mod_auth_openidc.h
@@ -202,6 +202,8 @@ APLOG_USE_MODULE(auth_openidc);
 #define OIDC_CACHE_SECTION_ACCESS_TOKEN "access_token"
 #define OIDC_CACHE_SECTION_PROVIDER "provider"
 
+#define OIDC_COOKIE_EXT_SAME_SITE_NONE   "SameSite=None"
+
 typedef enum {
 	AUTHENTICATE, PASS, RETURN401
 } unauthenticated_action;
diff --git a/src/session.c b/src/session.c
index 28b43d0..a8c5652 100644
--- a/src/session.c
+++ b/src/session.c
@@ -380,7 +380,7 @@ static apr_status_t oidc_session_save_cache(request_rec *r, session_rec *z) {
 
 		/* set the uuid in the cookie */
 		oidc_util_set_cookie(r, d->cookie, key,
-				c->persistent_session_cookie ? z->expiry : -1, NULL);
+				c->persistent_session_cookie ? z->expiry : -1, OIDC_COOKIE_EXT_SAME_SITE_NONE);
 
 		/* store the string-encoded session in the cache */
 		c->cache->set(r, OIDC_CACHE_SECTION_SESSION, key, z->encoded,
-- 
2.26.2