diff --git a/ChangeLog b/ChangeLog index cfbf89e8..f44e1353 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +01/29/2020 +- always add a SameSite value to the Set-Cookie header to satisfy upcoming Chrome/Firefox changes + this can be overridden by using, e.g.: + SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; +- release 2.4.1rc6 + 01/22/2020 - URL encode logout url in session management JS; thanks Paolo Battino - bump to 2.4.1rc5 diff --git a/configure.ac b/configure.ac index 8864b999..f3338820 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([mod_auth_openidc],[2.4.1rc5],[hans.zandbelt@zmartzone.eu]) +AC_INIT([mod_auth_openidc],[2.4.1rc6],[hans.zandbelt@zmartzone.eu]) AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION()) diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c index b7fb86c0..8f55d060 100644 --- a/src/mod_auth_openidc.c +++ b/src/mod_auth_openidc.c @@ -921,7 +921,9 @@ static int oidc_authorization_request_set_cookie(request_rec *r, oidc_cfg *c, /* set it as a cookie */ oidc_util_set_cookie(r, cookieName, cookieValue, -1, - c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX : NULL); + c->cookie_same_site ? + OIDC_COOKIE_EXT_SAME_SITE_LAX : + OIDC_COOKIE_EXT_SAME_SITE_NONE); return HTTP_OK; } @@ -2264,7 +2266,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, cfg->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_STRICT : - NULL); + OIDC_COOKIE_EXT_SAME_SITE_NONE); /* see if we need to preserve POST parameters through Javascript/HTML5 storage */ if (oidc_post_preserve_javascript(r, url, NULL, NULL) == TRUE) @@ -2357,7 +2359,9 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { s = apr_psprintf(r->pool, "%s\n", s); oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, - cfg->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_STRICT : NULL); + cfg->cookie_same_site ? + OIDC_COOKIE_EXT_SAME_SITE_STRICT : + OIDC_COOKIE_EXT_SAME_SITE_NONE); char *javascript = NULL, *javascript_method = NULL; char *html_head = diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h index e7ee0fc5..7fb89554 100644 --- a/src/mod_auth_openidc.h +++ b/src/mod_auth_openidc.h @@ -219,6 +219,7 @@ APLOG_USE_MODULE(auth_openidc); #define OIDC_COOKIE_EXT_SAME_SITE_LAX "SameSite=Lax" #define OIDC_COOKIE_EXT_SAME_SITE_STRICT "SameSite=Strict" +#define OIDC_COOKIE_EXT_SAME_SITE_NONE "SameSite=None" /* https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01 */ #define OIDC_TB_CFG_PROVIDED_ENV_VAR "Sec-Provided-Token-Binding-ID" diff --git a/src/session.c b/src/session.c index cf809d13..46f94f46 100644 --- a/src/session.c +++ b/src/session.c @@ -226,7 +226,7 @@ static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z, (first_time ? OIDC_COOKIE_EXT_SAME_SITE_LAX : OIDC_COOKIE_EXT_SAME_SITE_STRICT) : - NULL); + OIDC_COOKIE_EXT_SAME_SITE_NONE); } else {