Can the session cookie be set to "Partitioned"? #1145

mmurth · 2023-12-07T17:03:00Z

mmurth
Dec 7, 2023

We need to access the OIDC RP server from an iframe within a web app (from a different domain). As the browser blocks third party cookies, we'd need to set the Partitioned flag (=CHIPS). Is there any means to achieve this for the session cookie within mod_auth_openidc?

zandbelt · 2023-12-07T17:46:06Z

zandbelt
Dec 7, 2023
Maintainer

something like this should work:

 SetEnv OIDC_SET_COOKIE_APPEND "SameSite=None; Partitioned;"

you'll need to add the SameSite flag to retain backwards compatibility since OIDC_SET_COOKIE_APPEND will overrule the default SameSite flag (its original purpose is to do exacly that), unless you are OK with the current default browser behaviour (which I believe is Lax)

4 replies

mmurth Dec 7, 2023
Author

Thx for the support!
Seems i am still missing something. I tried with and without OIDCCookieSameSite:

<VirtualHost *:80>
    LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
    ...
    OIDCSessionType client-cookie 
    # OIDCCookieSameSite On
    SetEnv OIDC_SET_COOKIE_APPEND "SameSite=None; Partitioned;"
</VirtualHost>

But in the apache log, I see that the SetEnv is not working and that the cookie is still appended with "SameSite=Lax" only.

> oidc_util_set_cookie_append_value: no cookie append environment variable OIDC_SET_COOKIE_APPEND found
> oidc_util_hdr_err_out_add: Set-Cookie: mod_auth_openidc_session_1=Ng...; Path=/; HttpOnly; SameSite=Lax

zandbelt Dec 7, 2023
Maintainer

ah yes, standard SetEnv is only applied after mod_auth_openidc runs its authentication handler; so:

SetEnvIf User-Agent ".*" "OIDC_SET_COOKIE_APPEND=SameSite=None; Partitioned;"

should work better as SetEnvIf runs before the authentication phase, unlike SetEnv

mmurth Dec 7, 2023
Author

While the Partioned flag is now appended, something broke the login process. Probably related with some "state cookie".

Apache Logs:

oidc_util_get_cookie: returning "mod_auth_openidc_state_HbpxNQPtC6M7PthbcqGbmE8kBeg" = <null>
oidc_restore_proto_state: no "mod_auth_openidc_state_HbpxNQPtC6M7PthbcqGbmE8kBeg" state cookie found: check domain and samesite cookie settings
oidc_authorization_response_match_state: unable to restore state
oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...
```

mmurth Dec 19, 2023
Author

Retried with a fresh test setup - does work now!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Can the session cookie be set to "Partitioned"? #1145

{{title}}

Replies: 1 comment 4 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Can the session cookie be set to "Partitioned"? #1145

mmurth Dec 7, 2023

Replies: 1 comment · 4 replies

zandbelt Dec 7, 2023 Maintainer

mmurth Dec 7, 2023 Author

zandbelt Dec 7, 2023 Maintainer

mmurth Dec 7, 2023 Author

mmurth Dec 19, 2023 Author

mmurth
Dec 7, 2023

Replies: 1 comment 4 replies

zandbelt
Dec 7, 2023
Maintainer

mmurth Dec 7, 2023
Author

zandbelt Dec 7, 2023
Maintainer

mmurth Dec 7, 2023
Author

mmurth Dec 19, 2023
Author