Page MenuHomePhabricator

Apereo CAS expose CASCookieSameSite via profile::idp::client::http
Open, MediumPublic

Description

In order to add additional security to none standard browsers we should explicitly set the SameSite cookie value[1][2] in apereo cas. It seems mod_auth_cas has a setting for this so it should be fairly trivial

[1]https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/
[2]https://web.dev/samesite-cookies-explained/#explicitly-state-cookie-usage-with-the-samesite-attribute

Event Timeline

jbond renamed this task from Apereo CAS expose CASCookieSameSite cia profile::idp::client::http to Apereo CAS expose CASCookieSameSite via profile::idp::client::http .Oct 5 2020, 12:53 PM
jbond created this task.

The patch to support the setting is not yet in the released or packaged versions of libapache2-mod-auth-cas, but if it works for us, I can reach out to the maintainer to cherrypick the patch

JMeybohm triaged this task as Medium priority.Oct 13 2020, 9:55 AM

I've built an updated mod_cas package with SameSite cookie support for buster-wikimedia (not imported yet to apt.wikimedia.org), will run some tests next week.