From 6677500197b6efa759338d46c976c70381aaa17f Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Tue, 31 Oct 2023 21:52:27 +0100 Subject: [PATCH] use SameSite cookies Strict by default disable by configuring "OIDCCookieSameSite Off" Signed-off-by: Hans Zandbelt --- ChangeLog | 1 + auth_openidc.conf | 2 +- src/config.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2b4e07ab..700c2265 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,7 @@ - use only the User-Agent header as input for the state browser fingerprinting by default (no X-Forwarded-For) as cloud environments increasingly use dynamic proxy IPs in front - use PKCE S256 by default; disable by configuring "OIDCPKCEMethod none" +- use SameSite cookies Strict by default; disable by configuring "OIDCCookieSameSite Off" 10/30/2023 - do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected diff --git a/auth_openidc.conf b/auth_openidc.conf index 9738e1f3..4398d696 100644 --- a/auth_openidc.conf +++ b/auth_openidc.conf @@ -533,7 +533,7 @@ # conditionally overridden using an environment variable in the Apache config as in: # SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; # -# When not defined the default is Off. +# When not defined the default is On. #OIDCCookieSameSite [On|Off] # Specify the names of cookies to pickup from the browser and send along on backchannel diff --git a/src/config.c b/src/config.c index 568ccb76..5cadc979 100644 --- a/src/config.c +++ b/src/config.c @@ -119,7 +119,7 @@ /* set httponly flag on cookies */ #define OIDC_DEFAULT_COOKIE_HTTPONLY 1 /* set Same-Site flag on cookies */ -#define OIDC_DEFAULT_COOKIE_SAME_SITE 0 +#define OIDC_DEFAULT_COOKIE_SAME_SITE 1 /* default cookie path */ #define OIDC_DEFAULT_COOKIE_PATH "/" /* default OAuth 2.0 introspection token parameter name */