RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1791264 - Backport SameSite=None cookie from upstream to support latest browsers [rhel-7.9.z]
Summary: Backport SameSite=None cookie from upstream to support latest browsers [rhel-...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_auth_mellon
Version: 7.7
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Scott Poore
URL:
Whiteboard: sync-to-jira
Depends On: 1791262
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-15 11:21 UTC by Jakub Hrozek
Modified: 2024-10-01 16:27 UTC (History)
15 users (show)

Fixed In Version: mod_auth_mellon-0.14.0-9.el7_9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1791262
Environment:
Last Closed: 2020-11-10 13:11:52 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
mod_auth_mellon samesite=none enabled chrome test (276.84 KB, image/png)
2020-10-12 18:54 UTC, Scott Poore 		no flags Details
mod_auth_mellon samesite=none NOT enabled chrome test (270.27 KB, image/png)
2020-10-12 18:54 UTC, Scott Poore 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SSSD-2798 0 None None None 2023-09-07 21:31:14 UTC
Red Hat Product Errata RHBA-2020:5036 0 None None None 2020-11-10 13:11:55 UTC

Description Jakub Hrozek 2020-01-15 11:21:21 UTC 
+++ This bug was initially created as a clone of Bug #1791262 +++

Description of problem:
With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections.

In mellon, this could prevent 3rd party IDPs from being accessed, see the upstream commit: https://github.com/latchset/mod_auth_mellon/pull/8

The upstream commit also links to an excellent Chromium blog post.

Version-Release number of selected component (if applicable):
whatever we ship in RHEL now

How reproducible:
unknown

Steps to Reproduce:
1. inspect the mellon cookie
2.
3.

Actual results:
SameSite=Lax

Expected results:
SameSite=None

Additional info:
Comment 6 Roshan 2020-08-24 01:25:43 UTC 
Hi Guys,

What's the status of this? Has this been fixed for RHEL 7.8?

Thanks,
Roshan
Comment 7 Jakub Hrozek 2020-08-24 06:39:20 UTC 
(In reply to Roshan from comment #6)
> Hi Guys,
> 
> What's the status of this? Has this been fixed for RHEL 7.8?
> 
> Thanks,
> Roshan

No, this is so far not fixed in RHEL-7.
Comment 31 Roshan 2020-10-11 22:13:38 UTC 
Hi Guys,

I see some activity here. Are we going to have the mellon package updated soon for RHEL 7? What can we do as a customer to get this patch released faster as the issue is getting more noticeable day by day?

Thanks,
Roshan
Comment 35 Jakub Hrozek 2020-10-12 16:32:47 UTC 
(In reply to Roshan from comment #31)
> Hi Guys,
> 
> I see some activity here. Are we going to have the mellon package updated
> soon for RHEL 7? What can we do as a customer to get this patch released
> faster as the issue is getting more noticeable day by day?
> 
> Thanks,
> Roshan

It is targetting 7.9.1. If you'd like to get access to test packages before the fix is QA-d and released, I can upload them somewhere.
Comment 38 Scott Poore 2020-10-12 18:53:13 UTC 
Verified.

Version ::

mod_auth_mellon-0.14.0-9.el7_9.x86_64

Results ::

Basic Regression tests run with no issues found.

Settup with SameSite=None enabled:

[root@web1 conf.d]# cat mellon_example_app_mellon_keycloak_master.conf
<Location /mellon>
    MellonEnable info
    MellonEndpointPath /mellon/mellon/
    MellonSPMetadataFile /etc/httpd/saml2/mellon_example_app_sp_metadata.xml
    MellonSPPrivateKeyFile /etc/httpd/saml2/mellon_example_app.key
    MellonSPCertFile /etc/httpd/saml2/mellon_example_app.cert
    MellonIdPMetadataFile /etc/httpd/saml2/mellon_example_app_keycloak_master_idp_metadata.xml
    MellonIdP IDP
    MellonCookieSameSite None
    MellonSecureCookie On
</Location>

<Location /mellon/private>
    AuthType Mellon
    MellonEnable auth
    MellonPostReplay On
    Require valid-user
</Location>

MellonPostDirectory /var/cache/example_app_post_directory


Using Firefox [firefox-68.12.0-1.el7_8.x86_64] on RHEL 7.8:

HTTP/1.1 303 See Other
Date: Mon, 12 Oct 2020 18:45:04 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: mellon-cookie=a90095de5f76a30ee0e623ee18aacd19; Version=1; Path=/; Domain=web1.kite.test; HttpOnly; secure; SameSite=None;
Location: https://web1.kite.test:61443/mellon/private/
Content-Length: 251
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Using Chrome [google-chrome-stable-85.0.4183.121-1.x86_64] to verify the options set in the cookies:

Shows secure checked and SameSite None.  Attaching image after this.

Default behavior:

[root@web1 conf.d]# vim mellon_example_app_mellon_keycloak_master.conf
[root@web1 conf.d]# grep Cookie mellon_example_app_mellon_keycloak_master.conf
    # MellonCookieSameSite None
    # MellonSecureCookie On
[root@web1 conf.d]# systemctl restart httpd

Firefox:

HTTP/1.1 303 See Other
Date: Mon, 12 Oct 2020 18:50:59 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: mellon-cookie=e756856807fced0267e8d20ea2f48838; Version=1; Path=/; Domain=web1.kite.test;
Location: https://web1.kite.test:61443/mellon/private/
Content-Length: 251
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Chrome:

Shows nothing checked and nothing in SameSite field for session cookie.
Comment 39 Scott Poore 2020-10-12 18:54:04 UTC 
Created attachment 1721021 [details]
mod_auth_mellon samesite=none enabled chrome test
Comment 40 Scott Poore 2020-10-12 18:54:37 UTC 
Created attachment 1721022 [details]
mod_auth_mellon samesite=none NOT enabled chrome test
Comment 49 errata-xmlrpc 2020-11-10 13:11:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (mod_auth_mellon bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5036
Note You need to log in before you can comment on or make changes to this bug.