From 67ef1419a0a2ff2528eb789d610fe380b870767e Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Wed, 29 Jan 2020 13:27:44 +0100 Subject: [PATCH 10/11] always add a SameSite=Never value to the Set-Cookie header - to satisfy upcoming Chrome/Firefox changes this can be overridden by using, e.g.: SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; Signed-off-by: Hans Zandbelt (cherry picked from commit 3b4770f49cc67b9b0ae8732e9908895683ea556c) --- ChangeLog | 10 ++++++++++ src/mod_auth_openidc.c | 6 +++--- src/mod_auth_openidc.h | 2 ++ src/session.c | 2 +- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index b3ed8f3..a7169e4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +01/29/2020 +- always add a SameSite value to the Set-Cookie header to satisfy upcoming Chrome/Firefox changes + this can be overridden by using, e.g.: + SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; +- release 2.4.1rc6 + +01/22/2020 +- URL encode logout url in session management JS; thanks Paolo Battino +- bump to 2.4.1rc5 + 01/15/2020 - add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie headers useful for handling changing/upcoming SameSite behaviors across different browsers, e.g.: diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c index 6c86271..a4429a6 100644 --- a/src/mod_auth_openidc.c +++ b/src/mod_auth_openidc.c @@ -576,7 +576,7 @@ static apr_byte_t oidc_authorization_request_set_cookie(request_rec *r, const char *cookieName = oidc_get_state_cookie_name(r, state); /* set it as a cookie */ - oidc_util_set_cookie(r, cookieName, cookieValue, -1, NULL); + oidc_util_set_cookie(r, cookieName, cookieValue, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); free(s_value); @@ -1644,7 +1644,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { oidc_debug(r, "redirecting to external discovery page: %s", url); /* set CSRF cookie */ - oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, NULL); + oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); /* do the actual redirect to an external discovery page */ apr_table_add(r->headers_out, "Location", url); @@ -1705,7 +1705,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { "%s

\n", s); s = apr_psprintf(r->pool, "%s\n", s); - oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, NULL); + oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); /* now send the HTML contents to the user agent */ return oidc_util_html_send(r, "OpenID Connect Provider Discovery", diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h index d6c5050..cbace6a 100644 --- a/src/mod_auth_openidc.h +++ b/src/mod_auth_openidc.h @@ -202,6 +202,8 @@ APLOG_USE_MODULE(auth_openidc); #define OIDC_CACHE_SECTION_ACCESS_TOKEN "access_token" #define OIDC_CACHE_SECTION_PROVIDER "provider" +#define OIDC_COOKIE_EXT_SAME_SITE_NONE "SameSite=None" + typedef enum { AUTHENTICATE, PASS, RETURN401 } unauthenticated_action; diff --git a/src/session.c b/src/session.c index 28b43d0..a8c5652 100644 --- a/src/session.c +++ b/src/session.c @@ -380,7 +380,7 @@ static apr_status_t oidc_session_save_cache(request_rec *r, session_rec *z) { /* set the uuid in the cookie */ oidc_util_set_cookie(r, d->cookie, key, - c->persistent_session_cookie ? z->expiry : -1, NULL); + c->persistent_session_cookie ? z->expiry : -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); /* store the string-encoded session in the cache */ c->cache->set(r, OIDC_CACHE_SECTION_SESSION, key, z->encoded, -- 2.26.2