Skip to content

Commit

Permalink
use SameSite cookies Strict by default
Browse files Browse the repository at this point in the history
disable by configuring "OIDCCookieSameSite Off"

Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
  • Loading branch information
zandbelt committed Oct 31, 2023
1 parent cf4b650 commit 6677500
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 2 deletions.
1 change: 1 addition & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
- use only the User-Agent header as input for the state browser fingerprinting by default (no X-Forwarded-For)
as cloud environments increasingly use dynamic proxy IPs in front
- use PKCE S256 by default; disable by configuring "OIDCPKCEMethod none"
- use SameSite cookies Strict by default; disable by configuring "OIDCCookieSameSite Off"

10/30/2023
- do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected
Expand Down
2 changes: 1 addition & 1 deletion auth_openidc.conf
Original file line number Diff line number Diff line change
Expand Up @@ -533,7 +533,7 @@
# conditionally overridden using an environment variable in the Apache config as in:
# SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
#
# When not defined the default is Off.
# When not defined the default is On.
#OIDCCookieSameSite [On|Off]

# Specify the names of cookies to pickup from the browser and send along on backchannel
Expand Down
2 changes: 1 addition & 1 deletion src/config.c
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@
/* set httponly flag on cookies */
#define OIDC_DEFAULT_COOKIE_HTTPONLY 1
/* set Same-Site flag on cookies */
#define OIDC_DEFAULT_COOKIE_SAME_SITE 0
#define OIDC_DEFAULT_COOKIE_SAME_SITE 1
/* default cookie path */
#define OIDC_DEFAULT_COOKIE_PATH "/"
/* default OAuth 2.0 introspection token parameter name */
Expand Down

0 comments on commit 6677500

Please sign in to comment.