Bug 1791264
| Summary: | Backport SameSite=None cookie from upstream to support latest browsers [rhel-7.9.z] | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> | ||||||
| Component: | mod_auth_mellon | Assignee: | Jakub Hrozek <jhrozek> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | urgent | ||||||||
| Version: | 7.7 | CC: | afarley, apitanga, asah, dpathak, gandavar, hokuda, jreznik, kwalker, lakagwu, mthacker, roshan.hendahewa, spoore, sssd-qe, thalman, tscherf | ||||||
| Target Milestone: | rc | Keywords: | ZStream | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | sync-to-jira | ||||||||
| Fixed In Version: | mod_auth_mellon-0.14.0-9.el7_9 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | 1791262 | Environment: | |||||||
| Last Closed: | 2020-11-10 13:11:52 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1791262 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Description
Jakub Hrozek
2020-01-15 11:21:21 UTC
Hi Guys, What's the status of this? Has this been fixed for RHEL 7.8? Thanks, Roshan (In reply to Roshan from comment #6) > Hi Guys, > > What's the status of this? Has this been fixed for RHEL 7.8? > > Thanks, > Roshan No, this is so far not fixed in RHEL-7. Hi Guys, I see some activity here. Are we going to have the mellon package updated soon for RHEL 7? What can we do as a customer to get this patch released faster as the issue is getting more noticeable day by day? Thanks, Roshan (In reply to Roshan from comment #31) > Hi Guys, > > I see some activity here. Are we going to have the mellon package updated > soon for RHEL 7? What can we do as a customer to get this patch released > faster as the issue is getting more noticeable day by day? > > Thanks, > Roshan It is targetting 7.9.1. If you'd like to get access to test packages before the fix is QA-d and released, I can upload them somewhere. Verified.
Version ::
mod_auth_mellon-0.14.0-9.el7_9.x86_64
Results ::
Basic Regression tests run with no issues found.
Settup with SameSite=None enabled:
[root@web1 conf.d]# cat mellon_example_app_mellon_keycloak_master.conf
<Location /mellon>
MellonEnable info
MellonEndpointPath /mellon/mellon/
MellonSPMetadataFile /etc/httpd/saml2/mellon_example_app_sp_metadata.xml
MellonSPPrivateKeyFile /etc/httpd/saml2/mellon_example_app.key
MellonSPCertFile /etc/httpd/saml2/mellon_example_app.cert
MellonIdPMetadataFile /etc/httpd/saml2/mellon_example_app_keycloak_master_idp_metadata.xml
MellonIdP IDP
MellonCookieSameSite None
MellonSecureCookie On
</Location>
<Location /mellon/private>
AuthType Mellon
MellonEnable auth
MellonPostReplay On
Require valid-user
</Location>
MellonPostDirectory /var/cache/example_app_post_directory
Using Firefox [firefox-68.12.0-1.el7_8.x86_64] on RHEL 7.8:
HTTP/1.1 303 See Other
Date: Mon, 12 Oct 2020 18:45:04 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: mellon-cookie=a90095de5f76a30ee0e623ee18aacd19; Version=1; Path=/; Domain=web1.kite.test; HttpOnly; secure; SameSite=None;
Location: https://web1.kite.test:61443/mellon/private/
Content-Length: 251
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Using Chrome [google-chrome-stable-85.0.4183.121-1.x86_64] to verify the options set in the cookies:
Shows secure checked and SameSite None. Attaching image after this.
Default behavior:
[root@web1 conf.d]# vim mellon_example_app_mellon_keycloak_master.conf
[root@web1 conf.d]# grep Cookie mellon_example_app_mellon_keycloak_master.conf
# MellonCookieSameSite None
# MellonSecureCookie On
[root@web1 conf.d]# systemctl restart httpd
Firefox:
HTTP/1.1 303 See Other
Date: Mon, 12 Oct 2020 18:50:59 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: mellon-cookie=e756856807fced0267e8d20ea2f48838; Version=1; Path=/; Domain=web1.kite.test;
Location: https://web1.kite.test:61443/mellon/private/
Content-Length: 251
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Chrome:
Shows nothing checked and nothing in SameSite field for session cookie.
Created attachment 1721021 [details]
mod_auth_mellon samesite=none enabled chrome test
Created attachment 1721022 [details]
mod_auth_mellon samesite=none NOT enabled chrome test
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (mod_auth_mellon bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5036 |