Replies: 2 comments
-
I agree that this would be a useful addition; just to make sure, you are using Edit: thinking some more about this: in this situation one would typically use |
Beta Was this translation helpful? Give feedback.
-
Thank you for your response. Yes, setting the That is a good point regarding On that note, it looks like only the |
Beta Was this translation helpful? Give feedback.
-
There are cases where the Apache instance running mod_auth_openidc is not the one performing TLS termination.
For example, in containerized environments, like cloud environments with edge TLS termination, the connection might be TLS encrypted between the user-agent and the edge proxy but not between the edge proxy and the Apache instance running mod_auth_oidc.
In this case the Secure attribute for the OIDC cookie is still desired but oidc_util_request_is_secure will return false and the Secure attribute is thus not set.
This is particularly bothersome in cases where SameSite=None is required as it cannot be used without the Secure attribute.
A configuration option analogous to OIDCCookieHTTPOnly could be added for such cases to override the result of oidc_util_request_is_secure where the default value Auto corresponds to the current behaviour.
For example:
A possible workaround is to set OIDC_SET_COOKIE_APPEND to include both Secure and SameSite=None.
Would it be possible to add such a directive to override the result of oidc_util_request_is_secure when it comes to setting the Secure attribute?
Beta Was this translation helpful? Give feedback.
All reactions