OIDCCookieSameSite clarification #685

OlivierBOEL · 2021-09-20T06:09:32Z

OlivierBOEL
Sep 20, 2021

Hello,

I'm puzzled about this comment.
From my experice with mod_auth_openidc v2.3.7, it looks like SameSite attribute is set to strict after 10% of OIDCSessionInactivityTimeout (with a max. of 60 seconds).
Could this code explain what I've obeserved?
Or did I miss something?

Thanks,

Olivier

zandbelt · 2021-09-20T06:16:52Z

zandbelt
Sep 20, 2021
Maintainer

the idea is to set the cookie to Lax immediately after returning from the OP since that's the only value that works after a redirect; after that, i.e. upon the first update of the session, the cookie is set to Strict; the first update happens indeed faster than the inactivity timeout, but it is kind of cumbersome to explain all of that there since it is not that relevant...

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

OIDCCookieSameSite clarification #685

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

OIDCCookieSameSite clarification #685

Uh oh!

Uh oh!

OlivierBOEL Sep 20, 2021

Replies: 1 comment

Uh oh!

zandbelt Sep 20, 2021 Maintainer

OlivierBOEL
Sep 20, 2021

zandbelt
Sep 20, 2021
Maintainer