Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1791264

Summary: Backport SameSite=None cookie from upstream to support latest browsers [rhel-7.9.z]
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: mod_auth_mellonAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.7CC: afarley, apitanga, asah, dpathak, gandavar, hokuda, jreznik, kwalker, lakagwu, mthacker, roshan.hendahewa, spoore, sssd-qe, thalman, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: mod_auth_mellon-0.14.0-9.el7_9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1791262 Environment:
Last Closed: 2020-11-10 13:11:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1791262    
Bug Blocks:    
Attachments:
Description Flags
mod_auth_mellon samesite=none enabled chrome test
none
mod_auth_mellon samesite=none NOT enabled chrome test none

Description Jakub Hrozek 2020-01-15 11:21:21 UTC 
+++ This bug was initially created as a clone of Bug #1791262 +++

Description of problem:
With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections.

In mellon, this could prevent 3rd party IDPs from being accessed, see the upstream commit: https://github.com/latchset/mod_auth_mellon/pull/8

The upstream commit also links to an excellent Chromium blog post.

Version-Release number of selected component (if applicable):
whatever we ship in RHEL now

How reproducible:
unknown

Steps to Reproduce:
1. inspect the mellon cookie
2.
3.

Actual results:
SameSite=Lax

Expected results:
SameSite=None

Additional info:
Comment 6 Roshan 2020-08-24 01:25:43 UTC 
Hi Guys,

What's the status of this? Has this been fixed for RHEL 7.8?

Thanks,
Roshan
Comment 7 Jakub Hrozek 2020-08-24 06:39:20 UTC 
(In reply to Roshan from comment #6)
> Hi Guys,
> 
> What's the status of this? Has this been fixed for RHEL 7.8?
> 
> Thanks,
> Roshan

No, this is so far not fixed in RHEL-7.
Comment 31 Roshan 2020-10-11 22:13:38 UTC 
Hi Guys,

I see some activity here. Are we going to have the mellon package updated soon for RHEL 7? What can we do as a customer to get this patch released faster as the issue is getting more noticeable day by day?

Thanks,
Roshan
Comment 35 Jakub Hrozek 2020-10-12 16:32:47 UTC 
(In reply to Roshan from comment #31)
> Hi Guys,
> 
> I see some activity here. Are we going to have the mellon package updated
> soon for RHEL 7? What can we do as a customer to get this patch released
> faster as the issue is getting more noticeable day by day?
> 
> Thanks,
> Roshan

It is targetting 7.9.1. If you'd like to get access to test packages before the fix is QA-d and released, I can upload them somewhere.
Comment 38 Scott Poore 2020-10-12 18:53:13 UTC 
Verified.

Version ::

mod_auth_mellon-0.14.0-9.el7_9.x86_64

Results ::

Basic Regression tests run with no issues found.

Settup with SameSite=None enabled:

[root@web1 conf.d]# cat mellon_example_app_mellon_keycloak_master.conf
<Location /mellon>
    MellonEnable info
    MellonEndpointPath /mellon/mellon/
    MellonSPMetadataFile /etc/httpd/saml2/mellon_example_app_sp_metadata.xml
    MellonSPPrivateKeyFile /etc/httpd/saml2/mellon_example_app.key
    MellonSPCertFile /etc/httpd/saml2/mellon_example_app.cert
    MellonIdPMetadataFile /etc/httpd/saml2/mellon_example_app_keycloak_master_idp_metadata.xml
    MellonIdP IDP
    MellonCookieSameSite None
    MellonSecureCookie On
</Location>

<Location /mellon/private>
    AuthType Mellon
    MellonEnable auth
    MellonPostReplay On
    Require valid-user
</Location>

MellonPostDirectory /var/cache/example_app_post_directory


Using Firefox [firefox-68.12.0-1.el7_8.x86_64] on RHEL 7.8:

HTTP/1.1 303 See Other
Date: Mon, 12 Oct 2020 18:45:04 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: mellon-cookie=a90095de5f76a30ee0e623ee18aacd19; Version=1; Path=/; Domain=web1.kite.test; HttpOnly; secure; SameSite=None;
Location: https://web1.kite.test:61443/mellon/private/
Content-Length: 251
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Using Chrome [google-chrome-stable-85.0.4183.121-1.x86_64] to verify the options set in the cookies:

Shows secure checked and SameSite None.  Attaching image after this.

Default behavior:

[root@web1 conf.d]# vim mellon_example_app_mellon_keycloak_master.conf
[root@web1 conf.d]# grep Cookie mellon_example_app_mellon_keycloak_master.conf
    # MellonCookieSameSite None
    # MellonSecureCookie On
[root@web1 conf.d]# systemctl restart httpd

Firefox:

HTTP/1.1 303 See Other
Date: Mon, 12 Oct 2020 18:50:59 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: mellon-cookie=e756856807fced0267e8d20ea2f48838; Version=1; Path=/; Domain=web1.kite.test;
Location: https://web1.kite.test:61443/mellon/private/
Content-Length: 251
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Chrome:

Shows nothing checked and nothing in SameSite field for session cookie.
Comment 39 Scott Poore 2020-10-12 18:54:04 UTC 
Created attachment 1721021 [details]
mod_auth_mellon samesite=none enabled chrome test
Comment 40 Scott Poore 2020-10-12 18:54:37 UTC 
Created attachment 1721022 [details]
mod_auth_mellon samesite=none NOT enabled chrome test
Comment 49 errata-xmlrpc 2020-11-10 13:11:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (mod_auth_mellon bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5036