2.4.15.6: use SameSite=Lax when OIDCCookieSameSite is On

(also by default) instead of Strict as overriding from Lax to Strict does not work reliably anymore (Chrome) Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Mar 14, 2024 · 73cc7f1 · 73cc7f1
1 parent b696f3d
commit 73cc7f1
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 10 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -2,6 +2,8 @@
 - fix userinfo refresh interval parsing; closes #1200; thanks @HolgerHees
   avoid refreshing userinfo on each request until access token expiry
 - store interval as JSON integer in session
+- use SameSite=Lax when OIDCCookieSameSite is On (also by default) instead of
+  Strict as overriding from Lax to Strict does not work reliably anymore (Chrome)
 - release 2.4.15.6
 
 03/13/2024

diff --git a/auth_openidc.conf b/auth_openidc.conf
@@ -528,7 +528,7 @@
 # Defines whether the SameSite flag will be set on cookies.
 # When On the following will apply:
 #   state cookie: Lax
-#   session cookie: first time set Lax, updates (e.g. after inactivity timeout) Strict
+#   session cookie: Lax
 #   x_csrf discovery: Strict:
 #
 # The default `SameSite=None` cookie appendix on `Set-Cookie` response headers can be 

diff --git a/src/session.c b/src/session.c
@@ -204,9 +204,7 @@ static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z, apr
 			/* set the uuid in the cookie */
 			oidc_http_set_cookie(
 			    r, oidc_cfg_dir_cookie(r), z->uuid, c->persistent_session_cookie ? z->expiry : -1,
-			    c->cookie_same_site
-				? (first_time ? OIDC_COOKIE_EXT_SAME_SITE_LAX : OIDC_COOKIE_EXT_SAME_SITE_STRICT)
-				: OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r));
+			    c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX : OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r));
 
 	} else {
 
@@ -242,12 +240,11 @@ static apr_byte_t oidc_session_save_cookie(request_rec *r, oidc_session_t *z, ap
 	if ((z->state != NULL) && (oidc_session_encode(r, c, z, &cookieValue, TRUE) == FALSE))
 		return FALSE;
 
-	oidc_http_set_chunked_cookie(
-	    r, oidc_cfg_dir_cookie(r), cookieValue, c->persistent_session_cookie ? z->expiry : -1,
-	    c->session_cookie_chunk_size,
-	    (z->state == NULL)	  ? OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r)
-	    : c->cookie_same_site ? (first_time ? OIDC_COOKIE_EXT_SAME_SITE_LAX : OIDC_COOKIE_EXT_SAME_SITE_STRICT)
-				  : OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r));
+	oidc_http_set_chunked_cookie(r, oidc_cfg_dir_cookie(r), cookieValue,
+				     c->persistent_session_cookie ? z->expiry : -1, c->session_cookie_chunk_size,
+				     (z->state == NULL)	   ? OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r)
+				     : c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX
+							   : OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r));
 
 	return TRUE;
 }