Skip to content

Commit

Permalink
2.4.15.6: use SameSite=Lax when OIDCCookieSameSite is On
Browse files Browse the repository at this point in the history
(also by default) instead of Strict as overriding from Lax to Strict
does not work reliably anymore (Chrome)

Signed-off-by: Hans Zandbelt <[email protected]>
  • Loading branch information
zandbelt committed Mar 14, 2024
1 parent b696f3d commit 73cc7f1
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 10 deletions.
2 changes: 2 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
- fix userinfo refresh interval parsing; closes #1200; thanks @HolgerHees
avoid refreshing userinfo on each request until access token expiry
- store interval as JSON integer in session
- use SameSite=Lax when OIDCCookieSameSite is On (also by default) instead of
Strict as overriding from Lax to Strict does not work reliably anymore (Chrome)
- release 2.4.15.6

03/13/2024
Expand Down
2 changes: 1 addition & 1 deletion auth_openidc.conf
Original file line number Diff line number Diff line change
Expand Up @@ -528,7 +528,7 @@
# Defines whether the SameSite flag will be set on cookies.
# When On the following will apply:
# state cookie: Lax
# session cookie: first time set Lax, updates (e.g. after inactivity timeout) Strict
# session cookie: Lax
# x_csrf discovery: Strict:
#
# The default `SameSite=None` cookie appendix on `Set-Cookie` response headers can be
Expand Down
15 changes: 6 additions & 9 deletions src/session.c
Original file line number Diff line number Diff line change
Expand Up @@ -204,9 +204,7 @@ static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z, apr
/* set the uuid in the cookie */
oidc_http_set_cookie(
r, oidc_cfg_dir_cookie(r), z->uuid, c->persistent_session_cookie ? z->expiry : -1,
c->cookie_same_site
? (first_time ? OIDC_COOKIE_EXT_SAME_SITE_LAX : OIDC_COOKIE_EXT_SAME_SITE_STRICT)
: OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r));
c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX : OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r));

} else {

Expand Down Expand Up @@ -242,12 +240,11 @@ static apr_byte_t oidc_session_save_cookie(request_rec *r, oidc_session_t *z, ap
if ((z->state != NULL) && (oidc_session_encode(r, c, z, &cookieValue, TRUE) == FALSE))
return FALSE;

oidc_http_set_chunked_cookie(
r, oidc_cfg_dir_cookie(r), cookieValue, c->persistent_session_cookie ? z->expiry : -1,
c->session_cookie_chunk_size,
(z->state == NULL) ? OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r)
: c->cookie_same_site ? (first_time ? OIDC_COOKIE_EXT_SAME_SITE_LAX : OIDC_COOKIE_EXT_SAME_SITE_STRICT)
: OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r));
oidc_http_set_chunked_cookie(r, oidc_cfg_dir_cookie(r), cookieValue,
c->persistent_session_cookie ? z->expiry : -1, c->session_cookie_chunk_size,
(z->state == NULL) ? OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r)
: c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX
: OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r));

return TRUE;
}
Expand Down

0 comments on commit 73cc7f1

Please sign in to comment.