use case insensitive domain comparison in oidc_check_cookie_domain

bump to 2.4.16.9dev

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

ChangeLog

@@ -1,3 +1,7 @@
+03/18/2025
+- use case insensitive hostname/domain comparison in oidc_check_cookie_domain
+- bump to 2.4.16.9dev
+
 02/17/2025
 - release 2.4.16.8
 

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.16.8],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.16.9dev],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/mod_auth_openidc.c

@@ -529,12 +529,12 @@ static apr_byte_t oidc_check_max_session_duration(request_rec *r, oidc_cfg_t *cf
  * it also handles the case that a cookie is unexpectedly shared across multiple hosts in
  * name-based virtual hosting even though the OP(s) would be the same
  */
-static apr_byte_t oidc_check_cookie_domain(request_rec *r, oidc_cfg_t *cfg, oidc_session_t *session) {
+apr_byte_t oidc_check_cookie_domain(request_rec *r, oidc_cfg_t *cfg, oidc_session_t *session) {
 	const char *c_cookie_domain = oidc_cfg_cookie_domain_get(cfg)
 					  ? oidc_cfg_cookie_domain_get(cfg)
 					  : oidc_util_current_url_host(r, oidc_cfg_x_forwarded_headers_get(cfg));
 	const char *s_cookie_domain = oidc_session_get_cookie_domain(r, session);
-	if ((s_cookie_domain == NULL) || (_oidc_strcmp(c_cookie_domain, s_cookie_domain) != 0)) {
+	if ((s_cookie_domain == NULL) || (_oidc_strnatcasecmp(c_cookie_domain, s_cookie_domain) != 0)) {
 		oidc_warn(r,
 			  "aborting: detected attempt to play cookie against a different domain/host than issued for! "
 			  "(issued=%s, current=%s)",

src/mod_auth_openidc.h

@@ -143,6 +143,7 @@ apr_byte_t oidc_get_remote_user(request_rec *r, const char *claim_name, const ch
 				json_t *json, char **request_user);
 apr_byte_t oidc_get_provider_from_session(request_rec *r, oidc_cfg_t *c, oidc_session_t *session,
 					  oidc_provider_t **provider);
+apr_byte_t oidc_check_cookie_domain(request_rec *r, oidc_cfg_t *cfg, oidc_session_t *session);
 apr_byte_t oidc_session_pass_tokens(request_rec *r, oidc_cfg_t *cfg, oidc_session_t *session, apr_byte_t extend_session,
 				    apr_byte_t *needs_save);
 void oidc_log_session_expires(request_rec *r, const char *msg, apr_time_t session_expires);

test/test.c

@@ -1073,6 +1073,8 @@ static char *test_logout_request(request_rec *r) {
 	    "https://idp.example.com/"
 	    "endsession?post_logout_redirect_uri=https%3A%2F%2Fwww.example.com%2Floggedout&client_id=myclient&foo=bar");
 
+	oidc_session_free(r, session);
+
 	return 0;
 }
 
@@ -1770,6 +1772,24 @@ static char *test_set_app_infos(request_rec *r) {
 	return 0;
 }
 
+static char *test_check_cookie_domain(request_rec *r) {
+	apr_byte_t rv = FALSE;
+	oidc_cfg_t *c = ap_get_module_config(r->server->module_config, &auth_openidc_module);
+	oidc_session_t *session = NULL;
+
+	oidc_session_load(r, &session);
+	oidc_session_set_cookie_domain(r, session, "ab001sb161djbn.xyz.com");
+	apr_table_set(r->headers_in, "Host", "ab001SB161djbn.xyz.com");
+
+	rv = oidc_check_cookie_domain(r, c, session);
+
+	TST_ASSERT_BYTE("oidc_check_cookie_domain", rv, TRUE);
+
+	oidc_session_free(r, session);
+
+	return 0;
+}
+
 static char *all_tests(apr_pool_t *pool, request_rec *r) {
 	char *message;
 	TST_RUN(test_private_key_parse, pool);
@@ -1815,6 +1835,7 @@ static char *all_tests(apr_pool_t *pool, request_rec *r) {
 #endif
 
 	TST_RUN(test_logout_request, r);
+	TST_RUN(test_check_cookie_domain, r);
 
 	return 0;
 }