use SameSite cookies Strict by default

disable by configuring "OIDCCookieSameSite Off" Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Oct 31, 2023 · 6677500 · 6677500
1 parent cf4b650
commit 6677500
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -5,6 +5,7 @@
 - use only the User-Agent header as input for the state browser fingerprinting by default (no X-Forwarded-For)
   as cloud environments increasingly use dynamic proxy IPs in front
 - use PKCE S256 by default; disable by configuring "OIDCPKCEMethod none"
+- use SameSite cookies Strict by default; disable by configuring "OIDCCookieSameSite Off"
 
 10/30/2023
 - do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected

diff --git a/auth_openidc.conf b/auth_openidc.conf
@@ -533,7 +533,7 @@
 # conditionally overridden using an environment variable in the Apache config as in:
 #   SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
 #
-# When not defined the default is Off.
+# When not defined the default is On.
 #OIDCCookieSameSite [On|Off]
 
 # Specify the names of cookies to pickup from the browser and send along on backchannel

diff --git a/src/config.c b/src/config.c
@@ -119,7 +119,7 @@
 /* set httponly flag on cookies */
 #define OIDC_DEFAULT_COOKIE_HTTPONLY 1
 /* set Same-Site flag on cookies */
-#define OIDC_DEFAULT_COOKIE_SAME_SITE 0
+#define OIDC_DEFAULT_COOKIE_SAME_SITE 1
 /* default cookie path */
 #define OIDC_DEFAULT_COOKIE_PATH "/"
 /* default OAuth 2.0 introspection token parameter name */