From 2c999448c87b286744ac9802cb8e4277d5c38b71 Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Wed, 29 Jan 2020 13:27:44 +0100 Subject: [PATCH 16/19] always add a SameSite value to the Set-Cookie header - to satisfy upcoming Chrome/Firefox changes this can be overridden by using, e.g.: SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; - release 2.4.1rc6 Signed-off-by: Hans Zandbelt (cherry picked from commit 3b4770f49cc67b9b0ae8732e9908895683ea556c) --- ChangeLog | 5 +++++ src/mod_auth_openidc.c | 10 +++++++--- src/mod_auth_openidc.h | 1 + src/session.c | 2 +- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index fc7c5ae..b67f764 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +01/29/2020 +- always add a SameSite value to the Set-Cookie header to satisfy upcoming Chrome/Firefox changes + this can be overridden by using, e.g.: + SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; + 01/15/2020 - add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie headers useful for handling changing/upcoming SameSite behaviors across different browsers, e.g.: diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c index 38558d2..0d2b37c 100644 --- a/src/mod_auth_openidc.c +++ b/src/mod_auth_openidc.c @@ -916,7 +916,9 @@ static int oidc_authorization_request_set_cookie(request_rec *r, oidc_cfg *c, /* set it as a cookie */ oidc_util_set_cookie(r, cookieName, cookieValue, -1, - c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX : NULL); + c->cookie_same_site ? + OIDC_COOKIE_EXT_SAME_SITE_LAX : + OIDC_COOKIE_EXT_SAME_SITE_NONE); return HTTP_OK; } @@ -2183,7 +2185,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, cfg->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_STRICT : - NULL); + OIDC_COOKIE_EXT_SAME_SITE_NONE); /* see if we need to preserve POST parameters through Javascript/HTML5 storage */ if (oidc_post_preserve_javascript(r, url, NULL, NULL) == TRUE) @@ -2276,7 +2278,9 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { s = apr_psprintf(r->pool, "%s\n", s); oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, - cfg->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_STRICT : NULL); + cfg->cookie_same_site ? + OIDC_COOKIE_EXT_SAME_SITE_STRICT : + OIDC_COOKIE_EXT_SAME_SITE_NONE); char *javascript = NULL, *javascript_method = NULL; char *html_head = diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h index fada56d..5f1a79a 100644 --- a/src/mod_auth_openidc.h +++ b/src/mod_auth_openidc.h @@ -213,6 +213,7 @@ APLOG_USE_MODULE(auth_openidc); #define OIDC_COOKIE_EXT_SAME_SITE_LAX "SameSite=Lax" #define OIDC_COOKIE_EXT_SAME_SITE_STRICT "SameSite=Strict" +#define OIDC_COOKIE_EXT_SAME_SITE_NONE "SameSite=None" /* https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01 */ #define OIDC_TB_CFG_PROVIDED_ENV_VAR "Sec-Provided-Token-Binding-ID" diff --git a/src/session.c b/src/session.c index 1c6e118..cd9ccb8 100644 --- a/src/session.c +++ b/src/session.c @@ -204,7 +204,7 @@ static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z, (first_time ? OIDC_COOKIE_EXT_SAME_SITE_LAX : OIDC_COOKIE_EXT_SAME_SITE_STRICT) : - NULL); + OIDC_COOKIE_EXT_SAME_SITE_NONE); } else { /* clear the cookie */ -- 2.26.2