2.4.15.6: use SameSite=Lax when OIDCCookieSameSite is On

zandbelt · zandbelt · commit 73cc7f1e6569 · 2024-03-14T21:06:56.000+01:00
(also by default) instead of Strict as overriding from Lax to Strict
does not work reliably anymore (Chrome)

Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@openidc.com&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -2,6 +2,8 @@
 - fix userinfo refresh interval parsing; closes #1200; thanks @HolgerHees
   avoid refreshing userinfo on each request until access token expiry
 - store interval as JSON integer in session
+- use SameSite=Lax when OIDCCookieSameSite is On (also by default) instead of
+  Strict as overriding from Lax to Strict does not work reliably anymore (Chrome)
 - release 2.4.15.6
 
 03/13/2024
diff --git a/auth_openidc.conf b/auth_openidc.conf
@@ -528,7 +528,7 @@
 # Defines whether the SameSite flag will be set on cookies.
 # When On the following will apply:
 #   state cookie: Lax
-#   session cookie: first time set Lax, updates (e.g. after inactivity timeout) Strict
+#   session cookie: Lax
 #   x_csrf discovery: Strict:
 #
 # The default `SameSite=None` cookie appendix on `Set-Cookie` response headers can be 
diff --git a/src/session.c b/src/session.c
@@ -204,9 +204,7 @@ static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z, apr
 			/* set the uuid in the cookie */
 			oidc_http_set_cookie(
 			    r, oidc_cfg_dir_cookie(r), z->uuid, c->persistent_session_cookie ? z->expiry : -1,
-			    c->cookie_same_site
-				? (first_time ? OIDC_COOKIE_EXT_SAME_SITE_LAX : OIDC_COOKIE_EXT_SAME_SITE_STRICT)
-				: OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r));
+			    c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX : OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r));
 
 	} else {
 
@@ -242,12 +240,11 @@ static apr_byte_t oidc_session_save_cookie(request_rec *r, oidc_session_t *z, ap
 	if ((z->state != NULL) && (oidc_session_encode(r, c, z, &cookieValue, TRUE) == FALSE))
 		return FALSE;
 
-	oidc_http_set_chunked_cookie(
-	    r, oidc_cfg_dir_cookie(r), cookieValue, c->persistent_session_cookie ? z->expiry : -1,
-	    c->session_cookie_chunk_size,
-	    (z->state == NULL)	  ? OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r)
-	    : c->cookie_same_site ? (first_time ? OIDC_COOKIE_EXT_SAME_SITE_LAX : OIDC_COOKIE_EXT_SAME_SITE_STRICT)
-				  : OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r));
+	oidc_http_set_chunked_cookie(r, oidc_cfg_dir_cookie(r), cookieValue,
+				     c->persistent_session_cookie ? z->expiry : -1, c->session_cookie_chunk_size,
+				     (z->state == NULL)	   ? OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r)
+				     : c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX
+							   : OIDC_COOKIE_EXT_SAME_SITE_NONE(c, r));
 
 	return TRUE;
 }

Original file line number	Diff line number	Diff line change
`@@ -528,7 +528,7 @@`
`528`	`528`	`# Defines whether the SameSite flag will be set on cookies.`
`529`	`529`	`# When On the following will apply:`
`530`	`530`	`# state cookie: Lax`
`531`		`-# session cookie: first time set Lax, updates (e.g. after inactivity timeout) Strict`
	`531`	`+# session cookie: Lax`
`532`	`532`	`# x_csrf discovery: Strict:`
`533`	`533`	`#`
`534`	`534`	# The default `SameSite=None` cookie appendix on `Set-Cookie` response headers can be