96 lines
3.5 KiB
Diff
96 lines
3.5 KiB
Diff
From 2c999448c87b286744ac9802cb8e4277d5c38b71 Mon Sep 17 00:00:00 2001
|
|
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
|
|
Date: Wed, 29 Jan 2020 13:27:44 +0100
|
|
Subject: [PATCH 16/19] always add a SameSite value to the Set-Cookie header
|
|
|
|
- to satisfy upcoming Chrome/Firefox changes
|
|
this can be overridden by using, e.g.:
|
|
SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
|
|
- release 2.4.1rc6
|
|
|
|
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
|
|
(cherry picked from commit 3b4770f49cc67b9b0ae8732e9908895683ea556c)
|
|
---
|
|
ChangeLog | 5 +++++
|
|
src/mod_auth_openidc.c | 10 +++++++---
|
|
src/mod_auth_openidc.h | 1 +
|
|
src/session.c | 2 +-
|
|
4 files changed, 14 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/ChangeLog b/ChangeLog
|
|
index fc7c5ae..b67f764 100644
|
|
--- a/ChangeLog
|
|
+++ b/ChangeLog
|
|
@@ -1,3 +1,8 @@
|
|
+01/29/2020
|
|
+- always add a SameSite value to the Set-Cookie header to satisfy upcoming Chrome/Firefox changes
|
|
+ this can be overridden by using, e.g.:
|
|
+ SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
|
|
+
|
|
01/15/2020
|
|
- add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie headers
|
|
useful for handling changing/upcoming SameSite behaviors across different browsers, e.g.:
|
|
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
|
|
index 38558d2..0d2b37c 100644
|
|
--- a/src/mod_auth_openidc.c
|
|
+++ b/src/mod_auth_openidc.c
|
|
@@ -916,7 +916,9 @@ static int oidc_authorization_request_set_cookie(request_rec *r, oidc_cfg *c,
|
|
|
|
/* set it as a cookie */
|
|
oidc_util_set_cookie(r, cookieName, cookieValue, -1,
|
|
- c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX : NULL);
|
|
+ c->cookie_same_site ?
|
|
+ OIDC_COOKIE_EXT_SAME_SITE_LAX :
|
|
+ OIDC_COOKIE_EXT_SAME_SITE_NONE);
|
|
|
|
return HTTP_OK;
|
|
}
|
|
@@ -2183,7 +2185,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
|
|
oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,
|
|
cfg->cookie_same_site ?
|
|
OIDC_COOKIE_EXT_SAME_SITE_STRICT :
|
|
- NULL);
|
|
+ OIDC_COOKIE_EXT_SAME_SITE_NONE);
|
|
|
|
/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
|
|
if (oidc_post_preserve_javascript(r, url, NULL, NULL) == TRUE)
|
|
@@ -2276,7 +2278,9 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
|
|
s = apr_psprintf(r->pool, "%s</form>\n", s);
|
|
|
|
oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,
|
|
- cfg->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_STRICT : NULL);
|
|
+ cfg->cookie_same_site ?
|
|
+ OIDC_COOKIE_EXT_SAME_SITE_STRICT :
|
|
+ OIDC_COOKIE_EXT_SAME_SITE_NONE);
|
|
|
|
char *javascript = NULL, *javascript_method = NULL;
|
|
char *html_head =
|
|
diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
|
|
index fada56d..5f1a79a 100644
|
|
--- a/src/mod_auth_openidc.h
|
|
+++ b/src/mod_auth_openidc.h
|
|
@@ -213,6 +213,7 @@ APLOG_USE_MODULE(auth_openidc);
|
|
|
|
#define OIDC_COOKIE_EXT_SAME_SITE_LAX "SameSite=Lax"
|
|
#define OIDC_COOKIE_EXT_SAME_SITE_STRICT "SameSite=Strict"
|
|
+#define OIDC_COOKIE_EXT_SAME_SITE_NONE "SameSite=None"
|
|
|
|
/* https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01 */
|
|
#define OIDC_TB_CFG_PROVIDED_ENV_VAR "Sec-Provided-Token-Binding-ID"
|
|
diff --git a/src/session.c b/src/session.c
|
|
index 1c6e118..cd9ccb8 100644
|
|
--- a/src/session.c
|
|
+++ b/src/session.c
|
|
@@ -204,7 +204,7 @@ static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z,
|
|
(first_time ?
|
|
OIDC_COOKIE_EXT_SAME_SITE_LAX :
|
|
OIDC_COOKIE_EXT_SAME_SITE_STRICT) :
|
|
- NULL);
|
|
+ OIDC_COOKIE_EXT_SAME_SITE_NONE);
|
|
|
|
} else {
|
|
/* clear the cookie */
|
|
--
|
|
2.26.2
|
|
|