Page MenuHomePhabricator
Create Task
Maniphest T264605

Apereo CAS expose CASCookieSameSite via profile::idp::client::http
Closed, ResolvedPublic
Actions

Description

In order to add additional security to none standard browsers we should explicitly set the SameSite cookie value[1][2] in apereo cas. It seems mod_auth_cas has a setting for this so it should be fairly trivial

[1]https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/
[2]https://web.dev/samesite-cookies-explained/#explicitly-state-cookie-usage-with-the-samesite-attribute

Details

SubjectRepoBranchLines +/-
P:idp::client::http:site: add support for same site cookieoperations/puppetproduction+11 -0
Customize query in gerrit

Event Timeline

jbond renamed this task from Apereo CAS expose CASCookieSameSite cia profile::idp::client::http to Apereo CAS expose CASCookieSameSite via profile::idp::client::http .Oct 5 2020, 12:53 PM
jbond created this task.
MoritzMuehlenhoff subscribed.Oct 5 2020, 12:56 PM

The patch to support the setting is not yet in the released or packaged versions of libapache2-mod-auth-cas, but if it works for us, I can reach out to the maintainer to cherrypick the patch

JMeybohm triaged this task as Medium priority.Oct 13 2020, 9:55 AM
MoritzMuehlenhoff claimed this task.Oct 23 2020, 1:10 PM

I've built an updated mod_cas package with SameSite cookie support for buster-wikimedia (not imported yet to apt.wikimedia.org), will run some tests next week.

jbond added a comment.May 27 2021, 4:42 PM

did this make it out?

jbond moved this task from Unsorted 💣 to Active 🚁 on the User-jbond board.May 27 2021, 4:42 PM
jbond added a comment.EditedJun 2 2021, 10:48 AM

I have created a package with SameSite Cookie support and Secure Cookie Support. I have tested this on https://idp-test-login.wmcloud.org/ and every thing seems to work fine. I will add this to apt and create the necessary puppet glue

Stashbot added a comment.Jun 2 2021, 11:01 AM

Mentioned in SAL (#wikimedia-operations) [2021-06-02T11:01:39Z] <jbond> upload libapache2-mod-auth-cas_1.2-1+wmf11u1_amd64.deb - #T264605

Stashbot added a comment.Jun 2 2021, 11:04 AM

Mentioned in SAL (#wikimedia-operations) [2021-06-02T11:04:54Z] <jbond> upload libapache2-mod-auth-cas_1.2-1 for buster and stretch - #T264605

Stashbot added a comment.Jun 2 2021, 11:08 AM

Mentioned in SAL (#wikimedia-operations) [2021-06-02T11:08:33Z] <jbond> update mod_auth_cas T264605

gerritbot added a comment.Jun 2 2021, 11:32 AM

Change 697730 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] P:idp::client::http:site: add support for same site cookie

https://gerrit.wikimedia.org/r/697730

gerritbot added a project: Patch-For-Review.Jun 2 2021, 11:32 AM
jbond moved this task from Active 🚁 to Patch for Review on the User-jbond board.Jun 2 2021, 11:42 AM
gerritbot added a comment.Jun 8 2021, 7:40 AM

Change 697730 merged by Jbond:

[operations/puppet@production] P:idp::client::http:site: add support for same site cookie

https://gerrit.wikimedia.org/r/697730

jbond closed this task as Resolved.Jun 8 2021, 6:30 PM
jbond claimed this task.

This should be complete now please re-open if you still see issues, thanks

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL