OIDCCookieSameSite clarification #685

OlivierBOEL · 2021-09-20T06:09:32Z

OlivierBOEL
Sep 20, 2021

Hello,

I'm puzzled about this comment.
From my experice with mod_auth_openidc v2.3.7, it looks like SameSite attribute is set to strict after 10% of OIDCSessionInactivityTimeout (with a max. of 60 seconds).
Could this code explain what I've obeserved?
Or did I miss something?

Thanks,

Olivier

zandbelt · 2021-09-20T06:16:52Z

zandbelt
Sep 20, 2021
Maintainer

the idea is to set the cookie to Lax immediately after returning from the OP since that's the only value that works after a redirect; after that, i.e. upon the first update of the session, the cookie is set to Strict; the first update happens indeed faster than the inactivity timeout, but it is kind of cumbersome to explain all of that there since it is not that relevant...

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OIDCCookieSameSite clarification #685

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

OIDCCookieSameSite clarification #685

OlivierBOEL Sep 20, 2021

Replies: 1 comment

zandbelt Sep 20, 2021 Maintainer

OlivierBOEL
Sep 20, 2021

zandbelt
Sep 20, 2021
Maintainer