support individual SameSite settings on session/state/csrf cookies

by adding 2 more arguments to OIDCCookieSameSite

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

ChangeLog

@@ -1,3 +1,7 @@
+11/07/2025
+- support individual SameSite cookie settings on the session cookie, state cookie and Discovery CSRF
+  cookie by adding 2 more arguments to OIDCCookieSameSite
+
 11/05/2025
 - test: add jose.c coverage tests
 

auth_openidc.conf

@@ -262,6 +262,8 @@
 # The response mode used (this serves as default value for discovered OPs too)
 # When not defined the default response mode for the requested flow (OIDCResponseType) is used.
 # NB: this can be overridden on a per-OP basis in the .conf file using the key: response_mode
+# Note that form_post response mode requires SameSite=None on the State cookie, see OIDCCookieSameSite.
+# When not defined the default is query
 #OIDCResponseMode [fragment|query|form_post]
 
 # Only used for a single static provider has been configured, see below in OpenID Connect Provider.
@@ -593,8 +595,13 @@
 # conditionally overridden using an environment variable in the Apache config as in:
 #   SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
 #
+# One can specify individual SameSite settings for the session cookie, state cookie and CSRF discovery cookie as follows:
+#   OIDCCookieSameSite <session-cookie-same-site> [<state-cookie-same-site>] [<discovery-csrf-same-site>]
+# E.g. to allow form_post response mode one could specify:
+#   OIDCCookieSameSite Strict None
+#
 # When not defined the default is On (Lax).
-#OIDCCookieSameSite [ On | Off | Strict | Lax | None | Disabled ]
+#OIDCCookieSameSite On|Off|Strict|Lax|None|Disabled [On|Off|Lax|None|Disabled] [On|Off|Strict|Lax|None|Disabled]
 
 # Specify the names of cookies to pick up from the browser and send along on backchannel
 # calls to the OP and AS endpoints. This can be used for load-balancing purposes.

src/cfg/cfg.c

@@ -573,7 +573,8 @@ OIDC_CFG_MEMBER_FUNCS_BOOL(cookie_http_only, OIDC_DEFAULT_COOKIE_HTTPONLY)
 /*
  * define which header we use for calculating the fingerprint of the state during authentication
  */
-const char *oidc_cmd_cookie_same_site_set(cmd_parms *cmd, void *m, const char *arg) {
+const char *oidc_cmd_cookie_same_site_session_set(cmd_parms *cmd, void *m, const char *arg1, const char *arg2,
+						  const char *arg3) {
 	oidc_cfg_t *cfg = (oidc_cfg_t *)ap_get_module_config(cmd->server->module_config, &auth_openidc_module);
 	// NB: On is made equal to Lax here and Off is equal to None (backwards compatibility)
 	static const oidc_cfg_option_t options[] = {{OIDC_SAMESITE_COOKIE_NONE, OIDC_SAMESITE_COOKIE_OFF_STR},
@@ -582,13 +583,34 @@ const char *oidc_cmd_cookie_same_site_set(cmd_parms *cmd, void *m, const char *a
 						    {OIDC_SAMESITE_COOKIE_NONE, OIDC_SAMESITE_COOKIE_NONE_STR},
 						    {OIDC_SAMESITE_COOKIE_LAX, OIDC_SAMESITE_COOKIE_LAX_STR},
 						    {OIDC_SAMESITE_COOKIE_STRICT, OIDC_SAMESITE_COOKIE_STRICT_STR}};
-	const char *rv = oidc_cfg_parse_option_ignore_case(cmd->pool, options, OIDC_CFG_OPTIONS_SIZE(options), arg,
-							   &cfg->cookie_same_site);
+	const char *rv = oidc_cfg_parse_option_ignore_case(cmd->pool, options, OIDC_CFG_OPTIONS_SIZE(options), arg1,
+							   &cfg->cookie_same_site_session);
+	if ((rv == NULL) && (arg2 != NULL)) {
+		static const oidc_cfg_option_t state_options[] = {
+		    {OIDC_SAMESITE_COOKIE_NONE, OIDC_SAMESITE_COOKIE_OFF_STR},
+		    {OIDC_SAMESITE_COOKIE_LAX, OIDC_SAMESITE_COOKIE_ON_STR},
+		    {OIDC_SAMESITE_COOKIE_DISABLED, OIDC_SAMESITE_COOKIE_DISABLED_STR},
+		    {OIDC_SAMESITE_COOKIE_NONE, OIDC_SAMESITE_COOKIE_NONE_STR},
+		    {OIDC_SAMESITE_COOKIE_LAX, OIDC_SAMESITE_COOKIE_LAX_STR}};
+		rv = oidc_cfg_parse_option_ignore_case(cmd->pool, state_options, OIDC_CFG_OPTIONS_SIZE(state_options),
+						       arg2, &cfg->cookie_same_site_state);
+	}
+	if ((rv == NULL) && (arg3 != NULL)) {
+		rv = oidc_cfg_parse_option_ignore_case(cmd->pool, options, OIDC_CFG_OPTIONS_SIZE(options), arg3,
+						       &cfg->cookie_same_site_discovery_csrf);
+	}
 	return OIDC_CONFIG_DIR_RV(cmd, rv);
 }
 
 #define OIDC_DEFAULT_COOKIE_SAME_SITE OIDC_SAMESITE_COOKIE_LAX
-OIDC_CFG_MEMBER_FUNC_TYPE_GET(cookie_same_site, oidc_samesite_cookie_t, OIDC_DEFAULT_COOKIE_SAME_SITE)
+OIDC_CFG_MEMBER_FUNC_TYPE_GET(cookie_same_site_session, oidc_samesite_cookie_t, OIDC_DEFAULT_COOKIE_SAME_SITE)
+
+#define OIDC_DEFAULT_COOKIE_SAME_SITE_STATE oidc_cfg_cookie_same_site_session_get(cfg)
+OIDC_CFG_MEMBER_FUNC_TYPE_GET(cookie_same_site_state, oidc_samesite_cookie_t, OIDC_DEFAULT_COOKIE_SAME_SITE_STATE)
+
+#define OIDC_DEFAULT_COOKIE_SAME_SITE_CSRF_DISCOVERY oidc_cfg_cookie_same_site_session_get(cfg)
+OIDC_CFG_MEMBER_FUNC_TYPE_GET(cookie_same_site_discovery_csrf, oidc_samesite_cookie_t,
+			      OIDC_DEFAULT_COOKIE_SAME_SITE_CSRF_DISCOVERY)
 
 #define OIDC_DEFAULT_SESSION_FALLBACK_TO_COOKIE 0
 OIDC_CFG_MEMBER_FUNCS_BOOL(session_cache_fallback_to_cookie, OIDC_DEFAULT_SESSION_FALLBACK_TO_COOKIE)
@@ -710,7 +732,10 @@ void *oidc_cfg_server_create(apr_pool_t *pool, server_rec *svr) {
 	c->remote_user_claim.reg_exp = NULL;
 	c->remote_user_claim.replace = NULL;
 	c->cookie_http_only = OIDC_CONFIG_POS_INT_UNSET;
-	c->cookie_same_site = OIDC_CONFIG_POS_INT_UNSET;
+
+	c->cookie_same_site_session = OIDC_CONFIG_POS_INT_UNSET;
+	c->cookie_same_site_state = OIDC_CONFIG_POS_INT_UNSET;
+	c->cookie_same_site_discovery_csrf = OIDC_CONFIG_POS_INT_UNSET;
 
 	c->outgoing_proxy.host_port = NULL;
 	c->outgoing_proxy.username_password = NULL;
@@ -834,8 +859,16 @@ void *oidc_cfg_server_merge(apr_pool_t *pool, void *BASE, void *ADD) {
 
 	c->cookie_http_only =
 	    add->cookie_http_only != OIDC_CONFIG_POS_INT_UNSET ? add->cookie_http_only : base->cookie_http_only;
-	c->cookie_same_site =
-	    add->cookie_same_site != OIDC_CONFIG_POS_INT_UNSET ? add->cookie_same_site : base->cookie_same_site;
+
+	c->cookie_same_site_session = add->cookie_same_site_session != OIDC_CONFIG_POS_INT_UNSET
+					  ? add->cookie_same_site_session
+					  : base->cookie_same_site_session;
+	c->cookie_same_site_state = add->cookie_same_site_state != OIDC_CONFIG_POS_INT_UNSET
+					? add->cookie_same_site_state
+					: base->cookie_same_site_state;
+	c->cookie_same_site_discovery_csrf = add->cookie_same_site_discovery_csrf != OIDC_CONFIG_POS_INT_UNSET
+						 ? add->cookie_same_site_discovery_csrf
+						 : base->cookie_same_site_discovery_csrf;
 
 	if (add->outgoing_proxy.host_port != NULL) {
 		c->outgoing_proxy.host_port = add->outgoing_proxy.host_port;

src/cfg/cfg.h

@@ -224,7 +224,6 @@ OIDC_CFG_MEMBER_FUNCS_DECL(default_sso_url, const char *)
 OIDC_CFG_MEMBER_FUNCS_DECL(default_slo_url, const char *)
 OIDC_CFG_MEMBER_FUNCS_DECL(cookie_domain, const char *)
 OIDC_CFG_MEMBER_FUNCS_DECL(cookie_http_only, int)
-OIDC_CFG_MEMBER_FUNCS_DECL(cookie_same_site, oidc_samesite_cookie_t)
 OIDC_CFG_MEMBER_FUNCS_DECL(claim_delimiter, const char *)
 OIDC_CFG_MEMBER_FUNCS_DECL(claim_prefix, const char *)
 OIDC_CFG_MEMBER_FUNCS_DECL(state_timeout, int)
@@ -254,6 +253,9 @@ OIDC_CFG_MEMBER_FUNCS_DECL(crypto_passphrase, const oidc_crypto_passphrase_t *,
 OIDC_CFG_MEMBER_FUNCS_DECL(max_number_of_state_cookies, int, const char *)
 
 // 3 args
+OIDC_CFG_MEMBER_FUNCS_DECL(cookie_same_site_session, oidc_samesite_cookie_t, const char *, const char *)
+OIDC_CFG_MEMBER_FUNC_GET_DECL(cookie_same_site_state, oidc_samesite_cookie_t)
+OIDC_CFG_MEMBER_FUNC_GET_DECL(cookie_same_site_discovery_csrf, oidc_samesite_cookie_t)
 OIDC_CFG_MEMBER_FUNCS_DECL(remote_user_claim, const oidc_remote_user_claim_t *, const char *, const char *)
 OIDC_CFG_MEMBER_FUNCS_DECL(outgoing_proxy, const oidc_http_outgoing_proxy_t *, const char *, const char *)
 OIDC_CFG_MEMBER_FUNCS_DECL(http_timeout_short, oidc_http_timeout_t *, const char *, const char *)

src/cfg/cfg_int.h

@@ -150,7 +150,10 @@ struct oidc_cfg_t {
 	int session_cookie_chunk_size;
 	char *cookie_domain;
 	int cookie_http_only;
-	int cookie_same_site;
+	/* samesite cookie settings */
+	int cookie_same_site_session;
+	int cookie_same_site_state;
+	int cookie_same_site_discovery_csrf;
 
 	int state_timeout;
 	int max_number_of_state_cookies;

src/cfg/cmds.c

@@ -103,9 +103,9 @@ const command_rec oidc_cfg_cmds[] = {
 		cookie_http_only,
 		"Defines whether or not the cookie httponly flag is set on cookies."),
 	OIDC_CFG_CMD(
-		AP_INIT_TAKE1,
+		AP_INIT_TAKE123,
 		OIDCCookieSameSite,
-		cookie_same_site,
+		cookie_same_site_session,
 		"Defines whether or not the cookie Same-Site flag is set on cookies."),
 	OIDC_CFG_CMD(
 		AP_INIT_TAKE123,

src/handle/discovery.c

@@ -76,7 +76,7 @@ apr_byte_t oidc_is_discovery_response(request_rec *r, oidc_cfg_t *cfg) {
 
 static const char *oidc_discovery_csrf_cookie_samesite(request_rec *r, oidc_cfg_t *c) {
 	const char *rv = NULL;
-	switch (oidc_cfg_cookie_same_site_get(c)) {
+	switch (oidc_cfg_cookie_same_site_discovery_csrf_get(c)) {
 	case OIDC_SAMESITE_COOKIE_STRICT:
 		rv = OIDC_HTTP_COOKIE_SAMESITE_STRICT;
 		break;

src/handle/request.c

@@ -95,9 +95,9 @@ apr_byte_t oidc_request_check_cookie_domain(request_rec *r, oidc_cfg_t *c, const
 	return TRUE;
 }
 
-static const char *oidc_request_samesite_cookie(request_rec *r, struct oidc_cfg_t *c) {
+static const char *oidc_request_samesite_state_cookie(request_rec *r, struct oidc_cfg_t *c) {
 	const char *rv = NULL;
-	switch (oidc_cfg_cookie_same_site_get(c)) {
+	switch (oidc_cfg_cookie_same_site_state_get(c)) {
 	case OIDC_SAMESITE_COOKIE_STRICT:
 	case OIDC_SAMESITE_COOKIE_LAX:
 		rv = OIDC_HTTP_COOKIE_SAMESITE_LAX;
@@ -146,7 +146,7 @@ static int oidc_request_authorization_set_cookie(request_rec *r, oidc_cfg_t *c,
 	const char *cookieName = oidc_state_cookie_name(r, state);
 
 	/* set it as a cookie */
-	oidc_http_set_cookie(r, cookieName, cookieValue, -1, oidc_request_samesite_cookie(r, c));
+	oidc_http_set_cookie(r, cookieName, cookieValue, -1, oidc_request_samesite_state_cookie(r, c));
 
 	return OK;
 }

src/session.c

@@ -193,9 +193,9 @@ static apr_byte_t oidc_session_load_cache(request_rec *r, oidc_session_t *z) {
 	return rc;
 }
 
-static const char *oidc_session_samesite_cookie(request_rec *r, struct oidc_cfg_t *c, int first_time) {
+static const char *oidc_session_cookie_samesite(request_rec *r, struct oidc_cfg_t *c, int first_time) {
 	const char *rv = NULL;
-	switch (oidc_cfg_cookie_same_site_get(c)) {
+	switch (oidc_cfg_cookie_same_site_session_get(c)) {
 	case OIDC_SAMESITE_COOKIE_STRICT:
 		rv = first_time ? OIDC_HTTP_COOKIE_SAMESITE_LAX : OIDC_HTTP_COOKIE_SAMESITE_STRICT;
 		break;
@@ -238,7 +238,7 @@ static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z, apr
 			/* set the uuid in the cookie */
 			oidc_http_set_cookie(r, oidc_cfg_dir_cookie_get(r), z->uuid,
 					     oidc_cfg_persistent_session_cookie_get(c) ? z->expiry : -1,
-					     oidc_session_samesite_cookie(r, c, first_time));
+					     oidc_session_cookie_samesite(r, c, first_time));
 
 	} else {
 
@@ -278,7 +278,7 @@ static apr_byte_t oidc_session_save_cookie(request_rec *r, oidc_session_t *z, ap
 	oidc_http_set_chunked_cookie(
 	    r, oidc_cfg_dir_cookie_get(r), cookieValue, oidc_cfg_persistent_session_cookie_get(c) ? z->expiry : -1,
 	    oidc_cfg_session_cookie_chunk_size_get(c),
-	    (z->state == NULL) ? OIDC_HTTP_COOKIE_SAMESITE_NONE(c, r) : oidc_session_samesite_cookie(r, c, first_time));
+	    (z->state == NULL) ? OIDC_HTTP_COOKIE_SAMESITE_NONE(c, r) : oidc_session_cookie_samesite(r, c, first_time));
 
 	return TRUE;
 }

test/test_cfg.c

@@ -125,6 +125,50 @@ END_TEST
 
 #endif
 
+START_TEST(test_cmd_cookie_same_site) {
+	cmd_parms *cmd = oidc_test_cmd_get(OIDCCookieSameSite);
+	oidc_cfg_t *cfg = oidc_test_cfg_get();
+
+	// default is Lax
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_session_get(cfg), OIDC_SAMESITE_COOKIE_LAX);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_state_get(cfg), OIDC_SAMESITE_COOKIE_LAX);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_discovery_csrf_get(cfg), OIDC_SAMESITE_COOKIE_LAX);
+
+	ck_assert_ptr_null(oidc_cmd_cookie_same_site_session_set(cmd, NULL, "Lax", NULL, NULL));
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_session_get(cfg), OIDC_SAMESITE_COOKIE_LAX);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_state_get(cfg), OIDC_SAMESITE_COOKIE_LAX);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_discovery_csrf_get(cfg), OIDC_SAMESITE_COOKIE_LAX);
+
+	// state and csrf cookies should inherit from session cookie */
+	ck_assert_ptr_null(oidc_cmd_cookie_same_site_session_set(cmd, NULL, "Strict", NULL, NULL));
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_session_get(cfg), OIDC_SAMESITE_COOKIE_STRICT);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_state_get(cfg), OIDC_SAMESITE_COOKIE_STRICT);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_discovery_csrf_get(cfg), OIDC_SAMESITE_COOKIE_STRICT);
+
+	ck_assert_ptr_null(oidc_cmd_cookie_same_site_session_set(cmd, NULL, "None", NULL, NULL));
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_session_get(cfg), OIDC_SAMESITE_COOKIE_NONE);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_state_get(cfg), OIDC_SAMESITE_COOKIE_NONE);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_discovery_csrf_get(cfg), OIDC_SAMESITE_COOKIE_NONE);
+
+	ck_assert_ptr_nonnull(oidc_cmd_cookie_same_site_session_set(cmd, NULL, "InvalidValue", NULL, NULL));
+
+	ck_assert_ptr_null(oidc_cmd_cookie_same_site_session_set(cmd, NULL, "Strict", "None", NULL));
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_session_get(cfg), OIDC_SAMESITE_COOKIE_STRICT);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_state_get(cfg), OIDC_SAMESITE_COOKIE_NONE);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_discovery_csrf_get(cfg), OIDC_SAMESITE_COOKIE_STRICT);
+
+	ck_assert_ptr_null(oidc_cmd_cookie_same_site_session_set(cmd, NULL, "Strict", "None", "Lax"));
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_session_get(cfg), OIDC_SAMESITE_COOKIE_STRICT);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_state_get(cfg), OIDC_SAMESITE_COOKIE_NONE);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_discovery_csrf_get(cfg), OIDC_SAMESITE_COOKIE_LAX);
+
+	ck_assert_ptr_null(oidc_cmd_cookie_same_site_session_set(cmd, NULL, "Lax", "Lax", "None"));
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_session_get(cfg), OIDC_SAMESITE_COOKIE_LAX);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_state_get(cfg), OIDC_SAMESITE_COOKIE_LAX);
+	ck_assert_int_eq(oidc_cfg_cookie_same_site_discovery_csrf_get(cfg), OIDC_SAMESITE_COOKIE_NONE);
+}
+END_TEST
+
 int main(void) {
 	TCase *core = tcase_create("core");
 	tcase_add_checked_fixture(core, oidc_test_setup, oidc_test_teardown);
@@ -133,6 +177,7 @@ int main(void) {
 #ifdef USE_MEMCACHE
 	tcase_add_test(core, test_cfg_cache_connections_ttl);
 #endif
+	tcase_add_test(core, test_cmd_cookie_same_site);
 
 	Suite *s = suite_create("cfg");
 	suite_add_tcase(s, core);