always add a SameSite value to the Set-Cookie header

- to satisfy upcoming Chrome/Firefox changes this can be overridden by using, e.g.: SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; - release 2.4.1rc6 Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
OpenIDC · Jan 29, 2020 · 3b4770f · 3b4770f
1 parent d361569
commit 3b4770f
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 5 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+01/29/2020
+- always add a SameSite value to the Set-Cookie header to satisfy upcoming Chrome/Firefox changes
+  this can be overridden by using, e.g.:
+    SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
+- release 2.4.1rc6
+
 01/22/2020
 - URL encode logout url in session management JS; thanks Paolo Battino
 - bump to 2.4.1rc5

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.1rc5],[hans.zandbelt@zmartzone.eu])
+AC_INIT([mod_auth_openidc],[2.4.1rc6],[hans.zandbelt@zmartzone.eu])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -921,7 +921,9 @@ static int oidc_authorization_request_set_cookie(request_rec *r, oidc_cfg *c,
 
 	/* set it as a cookie */
 	oidc_util_set_cookie(r, cookieName, cookieValue, -1,
-			c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX : NULL);
+			c->cookie_same_site ?
+					OIDC_COOKIE_EXT_SAME_SITE_LAX :
+					OIDC_COOKIE_EXT_SAME_SITE_NONE);
 
 	return HTTP_OK;
 }
@@ -2264,7 +2266,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
 		oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,
 				cfg->cookie_same_site ?
 						OIDC_COOKIE_EXT_SAME_SITE_STRICT :
-						NULL);
+						OIDC_COOKIE_EXT_SAME_SITE_NONE);
 
 		/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
 		if (oidc_post_preserve_javascript(r, url, NULL, NULL) == TRUE)
@@ -2357,7 +2359,9 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
 	s = apr_psprintf(r->pool, "%s</form>\n", s);
 
 	oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,
-			cfg->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_STRICT : NULL);
+			cfg->cookie_same_site ?
+					OIDC_COOKIE_EXT_SAME_SITE_STRICT :
+					OIDC_COOKIE_EXT_SAME_SITE_NONE);
 
 	char *javascript = NULL, *javascript_method = NULL;
 	char *html_head =

diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -219,6 +219,7 @@ APLOG_USE_MODULE(auth_openidc);
 
 #define OIDC_COOKIE_EXT_SAME_SITE_LAX    "SameSite=Lax"
 #define OIDC_COOKIE_EXT_SAME_SITE_STRICT "SameSite=Strict"
+#define OIDC_COOKIE_EXT_SAME_SITE_NONE   "SameSite=None"
 
 /* https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01 */
 #define OIDC_TB_CFG_PROVIDED_ENV_VAR     "Sec-Provided-Token-Binding-ID"

diff --git a/src/session.c b/src/session.c
@@ -226,7 +226,7 @@ static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z,
 									(first_time ?
 											OIDC_COOKIE_EXT_SAME_SITE_LAX :
 											OIDC_COOKIE_EXT_SAME_SITE_STRICT) :
-											NULL);
+											OIDC_COOKIE_EXT_SAME_SITE_NONE);
 
 	} else {