You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
79 lines
2.9 KiB
79 lines
2.9 KiB
3 years ago
|
From 7ef4ae72a8578475064eb66e3ed5703ccf6ee078 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Ruediger Pluem <r.pluem@gmx.de>
|
||
|
|
Date: Thu, 30 Apr 2020 07:56:01 +0200
|
||
|
|
Subject: [PATCH] Set SameSite to None on test cookie
|
||
|
|
|
||
|
|
If the SameSite cookie attribute is to be set because
|
||
|
|
MellonCookieSameSite is configured and MELLON_DISABLE_SAMESITE not set
|
||
|
|
for this particular request set it to None for the test cookie.
|
||
|
|
This ensures that the test cookie with the static test content does not
|
||
|
|
get lost in the HTTP-POST binding request issued by the autosubmit form
|
||
|
|
returned by the IDP.
|
||
|
|
Addresses #20
|
||
|
|
|
||
|
|
* auth_mellon.h: Add AM_FORCE_SAMESITE_NONE_NOTE
|
||
|
|
|
||
|
|
* auth_mellon_handler.c (am_send_login_authn_request): Set request note
|
||
|
|
to set SameSite to None if appropriate.
|
||
|
|
|
||
|
|
* auth_mellon_cookie.c (am_cookie_params): Set SameSite to None if
|
||
|
|
requested via request note.
|
||
|
|
---
|
||
|
|
auth_mellon.h | 3 +++
|
||
|
|
auth_mellon_cookie.c | 6 +++++-
|
||
|
|
auth_mellon_handler.c | 5 +++++
|
||
|
|
3 files changed, 13 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/auth_mellon.h b/auth_mellon.h
|
||
|
|
index fd39b28..401ed9c 100644
|
||
|
|
--- a/auth_mellon.h
|
||
|
|
+++ b/auth_mellon.h
|
||
|
|
@@ -100,6 +100,9 @@ typedef enum {
|
||
|
|
/* Disable SameSite Environment Value */
|
||
|
|
#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
|
||
|
|
|
||
|
|
+/* Force setting SameSite to None */
|
||
|
|
+#define AM_FORCE_SAMESITE_NONE_NOTE "MELLON_FORCE_SAMESITE_NONE"
|
||
|
|
+
|
||
|
|
|
||
|
|
/* This is the length of the id we use (for session IDs and
|
||
|
|
* replaying POST data).
|
||
|
|
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
|
||
|
|
index 55f77a5..6bff81e 100644
|
||
|
|
--- a/auth_mellon_cookie.c
|
||
|
|
+++ b/auth_mellon_cookie.c
|
||
|
|
@@ -78,7 +78,11 @@ static const char *am_cookie_params(request_rec *r)
|
||
|
|
}
|
||
|
|
|
||
|
|
if (env_var_value == NULL){
|
||
|
|
- if (cfg->cookie_samesite == am_samesite_lax) {
|
||
|
|
+ if ((cfg->cookie_samesite != am_samesite_default) &&
|
||
|
|
+ (apr_table_get(r->notes, AM_FORCE_SAMESITE_NONE_NOTE) != NULL)) {
|
||
|
|
+ cookie_samesite = "; SameSite=None";
|
||
|
|
+ }
|
||
|
|
+ else if (cfg->cookie_samesite == am_samesite_lax) {
|
||
|
|
cookie_samesite = "; SameSite=Lax";
|
||
|
|
} else if (cfg->cookie_samesite == am_samesite_strict) {
|
||
|
|
cookie_samesite = "; SameSite=Strict";
|
||
|
|
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
|
||
|
|
index 395ee1d..40c9bcd 100644
|
||
|
|
--- a/auth_mellon_handler.c
|
||
|
|
+++ b/auth_mellon_handler.c
|
||
|
|
@@ -3261,8 +3261,13 @@ static int am_send_login_authn_request(request_rec *r, const char *idp,
|
||
|
|
/* Add cookie for cookie test. We know that we should have
|
||
|
|
* a valid cookie when we return from the IdP after SP-initiated
|
||
|
|
* login.
|
||
|
|
+ * Ensure that SameSite is set to None for this cookie if SameSite
|
||
|
|
+ * is allowed to be set as the cookie otherwise gets lost on
|
||
|
|
+ * HTTP-POST binding messages.
|
||
|
|
*/
|
||
|
|
+ apr_table_setn(r->notes, AM_FORCE_SAMESITE_NONE_NOTE, "1");
|
||
|
|
am_cookie_set(r, "cookietest");
|
||
|
|
+ apr_table_unset(r->notes, AM_FORCE_SAMESITE_NONE_NOTE);
|
||
|
|
|
||
|
|
server = am_get_lasso_server(r);
|
||
|
|
if(server == NULL) {
|
||
|
|
--
|
||
|
|
2.26.2
|
||
|
|
|