Index: /branches/rel_ag_9_4_5/uproxy/http_proxy/misc.c =================================================================== --- /branches/rel_ag_9_4_5/uproxy/http_proxy/misc.c (revision 20327) +++ /branches/rel_ag_9_4_5/uproxy/http_proxy/misc.c (working copy) @@ -4132,7 +4132,7 @@ smanager_data_t *sec_data = client_conn_data->smanager_data; temp_cookie_len = snprintf(temp_cookie, MAX_SET_COOKIE_SIZE, - "Set-Cookie: %s=erase;expires=%s; path=/; domain=%s;secure; samesite=Lax\r\n", + "Set-Cookie: %s=erase;expires=%s; path=/; domain=%s;secure; samesite=None\r\n", SEC_AN_CLIENTSEC_STAGE_COOKIE_NAME, EXPIRE_CLIENTSEC_COOKIE, sec_data->req_domain); Index: /branches/rel_ag_9_4_5/uproxy/http_proxy/parser.c =================================================================== --- /branches/rel_ag_9_4_5/uproxy/http_proxy/parser.c (revision 20327) +++ /branches/rel_ag_9_4_5/uproxy/http_proxy/parser.c (working copy) @@ -2606,14 +2606,14 @@ idle_timeout = role_p->session_lifecycle_policy_p->idle_timeout; } snprintf(cookie, MAX_SET_COOKIE_SIZE, - "\r\nSet-Cookie: %s=%s+%08x_%s;path=/;expires=%s%s%s%s samesite=Lax", + "\r\nSet-Cookie: %s=%s+%08x_%s;path=/;expires=%s%s%s%s samesite=None", cookie_str, session->site_id, session->session_id, session->signature, get_GMT_time(idle_timeout), domain, secureflag, httponlyflag); } else { snprintf(cookie, MAX_SET_COOKIE_SIZE, - "\r\nSet-Cookie: %s=%s+%08x_%s;path=/%s%s%s samesite=Lax", + "\r\nSet-Cookie: %s=%s+%08x_%s;path=/%s%s%s samesite=None", cookie_str, session->site_id, session->session_id, session->signature, domain, secureflag, httponlyflag); } Index: /branches/rel_ag_9_4_5/uproxy/http_proxy/smanager/sec_misc.c =================================================================== --- /branches/rel_ag_9_4_5/uproxy/http_proxy/smanager/sec_misc.c (revision 20327) +++ /branches/rel_ag_9_4_5/uproxy/http_proxy/smanager/sec_misc.c (working copy) @@ -45,10 +45,10 @@ #include #include "libinjection.h" -#define COOKIE_FOR_CLIENT_REFRESH_LOGIN_SUCCESS ";\r\nSet-Cookie: vpn_auto=true;path=/; secure; samesite=Lax;" -#define COOKIE_FOR_CLIENT_REFRESH_LOGIN_SUCCESS_HTTPONLY ";\r\nSet-Cookie: vpn_auto=true;path=/;secure;HttpOnly; samesite=Lax;" -#define COOKIE_FOR_PORTAL_ERROR_MESSAGE "_AN_msgID=-1;path=/prx/000/http/;expires=Thu, 01-Jan-1970 00:00:01 GMT;secure;samesite=Lax;" -#define COOKIE_FOR_PORTAL_ERROR_MESSAGE_STR "_AN_msgStr=\"\";path=/prx/000/http/;expires=Thu, 01-Jan-1970 00:00:01 GMT;secure;samesite=Lax;" +#define COOKIE_FOR_CLIENT_REFRESH_LOGIN_SUCCESS ";\r\nSet-Cookie: vpn_auto=true;path=/; secure; samesite=None;" +#define COOKIE_FOR_CLIENT_REFRESH_LOGIN_SUCCESS_HTTPONLY ";\r\nSet-Cookie: vpn_auto=true;path=/;secure;HttpOnly; samesite=None;" +#define COOKIE_FOR_PORTAL_ERROR_MESSAGE "_AN_msgID=-1;path=/prx/000/http/;expires=Thu, 01-Jan-1970 00:00:01 GMT;secure;samesite=None;" +#define COOKIE_FOR_PORTAL_ERROR_MESSAGE_STR "_AN_msgStr=\"\";path=/prx/000/http/;expires=Thu, 01-Jan-1970 00:00:01 GMT;secure;samesite=None;" @@ -1825,7 +1825,7 @@ if (msg_id == 639 && info_message!=NULL) { strcpy(msgID, info_message); } else { - snprintf(msgID, SESSION_COOKIE_SIZE, "_AN_msgID=%d;path=/prx/000/http/;secure;samesite=Lax;", msg_id); + snprintf(msgID, SESSION_COOKIE_SIZE, "_AN_msgID=%d;path=/prx/000/http/;secure;samesite=None;", msg_id); } } else if (info_message != NULL){ snprintf(portal_temp_string, MAX_APP_PRINT_SIZE, "%s", info_message); @@ -1838,7 +1838,7 @@ portal_temp_string[i] = ','; } } - snprintf(msgID, SESSION_COOKIE_SIZE, "_AN_msgStr=\"%s\";path=/prx/000/http/;secure;samesite=Lax;", portal_temp_string); + snprintf(msgID, SESSION_COOKIE_SIZE, "_AN_msgStr=\"%s\";path=/prx/000/http/;secure;samesite=None;", portal_temp_string); } if (type_code < SEC_PORTAL_ERROR_URLS && @@ -2329,7 +2329,7 @@ char msgID[SESSION_COOKIE_SIZE] = {0}; if (msg_id > -1) { - snprintf(msgID, SESSION_COOKIE_SIZE, "_AN_msgID=%d;path=/prx/000/http/;secure;samesite=Lax;", msg_id); + snprintf(msgID, SESSION_COOKIE_SIZE, "_AN_msgID=%d;path=/prx/000/http/;secure;samesite=None;", msg_id); } snprintf(redirect_url, sizeof(redirect_url), @@ -2362,10 +2362,10 @@ } if (*aa_clustered == 0) { snprintf(session_cookie_buffer, SESSION_COOKIE_SIZE, - "%s=%s; path=/%s; secure; samesite=Lax", sec_cookie_session_name, vsite->name, sec_get_domain_for_sp_cookie(sec_data)); + "%s=%s; path=/%s; secure; samesite=None", sec_cookie_session_name, vsite->name, sec_get_domain_for_sp_cookie(sec_data)); } else { snprintf(session_cookie_buffer, SESSION_COOKIE_SIZE, - "%s=%s; path=/%s; secure; samesite=Lax", ha_cookie_session_name, vsite->name, sec_get_domain_for_sp_cookie(sec_data)); + "%s=%s; path=/%s; secure; samesite=None", ha_cookie_session_name, vsite->name, sec_get_domain_for_sp_cookie(sec_data)); } /* if we have a url to bookmark, set a bookmark cookie */ @@ -2550,18 +2550,18 @@ if (vsite->vsite_type == SITE_EXCLUSIVE) { if (*aa_clustered == 0) { - data_p += sprintf(data_p, "%s=%s; path=/%s;expires=Thu, 01-Jan-1970 00:00:01 GMT;secure; samesite=Lax", sec_cookie_session_name, + data_p += sprintf(data_p, "%s=%s; path=/%s;expires=Thu, 01-Jan-1970 00:00:01 GMT;secure; samesite=None", sec_cookie_session_name, vsite->name, sec_get_domain_for_sp_cookie(sec_data)); } else { - data_p += sprintf(data_p, "%s=%s; path=/%s;expires=Thu, 01-Jan-1970 00:00:01 GMT;secure; samesite=Lax", ha_cookie_session_name, + data_p += sprintf(data_p, "%s=%s; path=/%s;expires=Thu, 01-Jan-1970 00:00:01 GMT;secure; samesite=None", ha_cookie_session_name, vsite->name, sec_get_domain_for_sp_cookie(sec_data)); } } else { // SITE_ALIAS need this cookie to identify which alias-site customer has chosen if (*aa_clustered == 0) { - data_p += sprintf(data_p, "%s=%s; path=/%s; secure; samesite=Lax", sec_cookie_session_name, + data_p += sprintf(data_p, "%s=%s; path=/%s; secure; samesite=None", sec_cookie_session_name, vsite->name, sec_get_domain_for_sp_cookie(sec_data)); } else { - data_p += sprintf(data_p, "%s=%s; path=/%s; secure; samesite=Lax", ha_cookie_session_name, + data_p += sprintf(data_p, "%s=%s; path=/%s; secure; samesite=None", ha_cookie_session_name, vsite->name, sec_get_domain_for_sp_cookie(sec_data)); } } @@ -2834,7 +2834,7 @@ } bcopy(sphost_p, portal_temp_string, sphost_len); portal_temp_string[sphost_len] = '\0'; - sprintf(sphost_buffer, "%s=%s;path=/;secure; samesite=Lax", SEC_AN_SPHOST_NAME, portal_temp_string); + sprintf(sphost_buffer, "%s=%s;path=/;secure; samesite=None", SEC_AN_SPHOST_NAME, portal_temp_string); if((session_p = strstr(end, "session=")) == NULL) { return SEC_FAIL; @@ -3276,21 +3276,21 @@ char cookie_escape[CLISEC_PREFIX_SIZE] = {0}; if (SEC_ISSET(sec_data->flags, SDAT_REQ_FROM_WCHAT)) { - snprintf(cookie_string, CLISEC_PREFIX_SIZE, "NSCOOKIE;localh;/;%s;secure;samesite=Lax", + snprintf(cookie_string, CLISEC_PREFIX_SIZE, "NSCOOKIE;localh;/;%s;secure;samesite=None", CLIENTSEC_COOKIE); } else { - snprintf(cookie_string, CLISEC_PREFIX_SIZE, "NSCOOKIE;localhost;/;%s;secure;samesite=Lax", + snprintf(cookie_string, CLISEC_PREFIX_SIZE, "NSCOOKIE;localhost;/;%s;secure;samesite=None", CLIENTSEC_COOKIE); } escape_string(cookie_string, cookie_escape, CLISEC_PREFIX_SIZE); if (SEC_ISSET(sec_data->vsite_p->common_flags, SEC_SETCOOKIE_HTTPONLY)) { snprintf(out_buf, MAX_SET_COOKIE_SIZE, - "Set-Cookie: %s=erase;expires=%s; path=/%s;secure;HttpOnly;samesite=Lax\r\n", cookie_escape, + "Set-Cookie: %s=erase;expires=%s; path=/%s;secure;HttpOnly;samesite=None\r\n", cookie_escape, EXPIRE_CLIENTSEC_COOKIE, sec_get_domain_for_sp_cookie(sec_data)); } else { snprintf(out_buf, MAX_SET_COOKIE_SIZE, - "Set-Cookie: %s=erase;expires=%s; path=/%s;secure;samesite=Lax\r\n", cookie_escape, + "Set-Cookie: %s=erase;expires=%s; path=/%s;secure;samesite=None\r\n", cookie_escape, EXPIRE_CLIENTSEC_COOKIE, sec_get_domain_for_sp_cookie(sec_data)); } @@ -3309,21 +3309,21 @@ int len; if (SEC_ISSET(sec_data->flags, SDAT_REQ_FROM_WCHAT)) { - snprintf(cookie_string, CLISEC_PREFIX_SIZE, "NSCOOKIE;localh;/;%s;secure;samesite=Lax", + snprintf(cookie_string, CLISEC_PREFIX_SIZE, "NSCOOKIE;localh;/;%s;secure;samesite=None", CLIENTSEC_JAVA_COOKIE); } else { - snprintf(cookie_string, CLISEC_PREFIX_SIZE, "NSCOOKIE;localhost;/;%s;secure;samesite=Lax", + snprintf(cookie_string, CLISEC_PREFIX_SIZE, "NSCOOKIE;localhost;/;%s;secure;samesite=None", CLIENTSEC_JAVA_COOKIE); } escape_string(cookie_string, cookie_escape, CLISEC_PREFIX_SIZE); if (SEC_ISSET(sec_data->vsite_p->common_flags, SEC_SETCOOKIE_HTTPONLY)) { snprintf(out_buf, MAX_SET_COOKIE_SIZE, - "Set-Cookie: %s=erase;expires=%s; path=/%s;secure;HttpOnly;samesite=Lax\r\n", cookie_escape, + "Set-Cookie: %s=erase;expires=%s; path=/%s;secure;HttpOnly;samesite=None\r\n", cookie_escape, EXPIRE_CLIENTSEC_COOKIE, sec_get_domain_for_sp_cookie(sec_data)); } else { snprintf(out_buf, MAX_SET_COOKIE_SIZE, - "Set-Cookie: %s=erase;expires=%s; path=/%s;secure;samesite=Lax\r\n", cookie_escape, + "Set-Cookie: %s=erase;expires=%s; path=/%s;secure;samesite=None\r\n", cookie_escape, EXPIRE_CLIENTSEC_COOKIE, sec_get_domain_for_sp_cookie(sec_data)); } return TRUE; @@ -3338,11 +3338,11 @@ { if (SEC_ISSET(sec_data->vsite_p->common_flags, SEC_SETCOOKIE_HTTPONLY)) { snprintf(out_buf, MAX_SET_COOKIE_SIZE, - "Set-Cookie: %s=2; path=/%s;secure;HttpOnly;samesite=Lax\r\n", + "Set-Cookie: %s=2; path=/%s;secure;HttpOnly;samesite=None\r\n", SEC_AN_CLIENTSEC_STAGE_COOKIE_NAME, sec_get_domain_for_sp_cookie(sec_data)); } else { snprintf(out_buf, MAX_SET_COOKIE_SIZE, - "Set-Cookie: %s=2; path=/%s;secure;samesite=Lax\r\n", + "Set-Cookie: %s=2; path=/%s;secure;samesite=None\r\n", SEC_AN_CLIENTSEC_STAGE_COOKIE_NAME, sec_get_domain_for_sp_cookie(sec_data)); } @@ -3354,7 +3354,7 @@ { char *value = sec_data->client_sec_info; snprintf(out_buf, MAX_SET_COOKIE_SIZE*2, - "%s%s; path=/%s; secure;samesite=Lax\r\n", CLIENTSEC_SETCOOKIE_PREFIX, + "%s%s; path=/%s; secure;samesite=None\r\n", CLIENTSEC_SETCOOKIE_PREFIX, value, sec_get_domain_for_sp_cookie(sec_data)); return TRUE; @@ -3527,7 +3527,7 @@ if (SEC_ISSET(site->common_flags, SEC_COOKIE_EXPIRE)) { data_p += sprintf(data_p, "expires=%s;", get_GMT_time(site->idle_timeout)); } - data_p += sprintf(data_p, "path=/;secure;samesite=Lax"); + data_p += sprintf(data_p, "path=/;secure;samesite=None"); if (SEC_ISSET(site->common_flags, SEC_SETCOOKIE_HTTPONLY)) { data_p += sprintf(data_p, ";HttpOnly"); } @@ -3598,7 +3598,7 @@ if (len >= buf_size) return; } - len += snprintf(data_p+len, buf_size-len, "path=/%s; secure; samesite=Lax", sec_get_domain_for_sp_cookie(sec_data)); + len += snprintf(data_p+len, buf_size-len, "path=/%s; secure; samesite=None", sec_get_domain_for_sp_cookie(sec_data)); if (len >= buf_size) return; if (SEC_ISSET(site->common_flags, SEC_SETCOOKIE_HTTPONLY)) { @@ -3631,7 +3631,7 @@ if (len >= buf_size) return; } - len += snprintf(data_p+len, buf_size-len, "path=/;domain=.%s;secure;samesite=Lax", domain); + len += snprintf(data_p+len, buf_size-len, "path=/;domain=.%s;secure;samesite=None", domain); if (len >= buf_size) return; if (SEC_ISSET(site->common_flags, SEC_SETCOOKIE_HTTPONLY)) { @@ -3643,7 +3643,7 @@ if (sec_session->username[0]) { len += snprintf(data_p+len, buf_size-len, - "\r\nSet-Cookie: username=%s;path=/;secure;samesite=Lax", sec_session->username); + "\r\nSet-Cookie: username=%s;path=/;secure;samesite=None", sec_session->username); if (len >= buf_size) return; if (SEC_ISSET(site->common_flags, SEC_SETCOOKIE_HTTPONLY)) { @@ -3685,7 +3685,7 @@ if ((masked_len > 0) && (escaped_hw_id[0])) { len += snprintf(data_p+len, buf_size-len, - "\r\nSet-Cookie: role_xid=%s_%s;path=/;secure;samesite=Lax;",escaped_hw_id, masked_pwd+8); + "\r\nSet-Cookie: role_xid=%s_%s;path=/;secure;samesite=None;",escaped_hw_id, masked_pwd+8); if (len >= buf_size) return; if (SEC_ISSET(site->common_flags, SEC_SETCOOKIE_HTTPONLY)) { len += snprintf(data_p+len, buf_size-len, ";HttpOnly"); @@ -3697,7 +3697,7 @@ if (SEC_ISSET(sec_data->vsite_p->common_flags, SEC_APP_SSO_DESKTOPDIRECT) && sec_session->app_sso_info.sso_account[0]) { - len += snprintf(data_p+len, buf_size-len, "\r\nSet-Cookie: sso_uname=%s;path=/;secure;samesite=Lax", + len += snprintf(data_p+len, buf_size-len, "\r\nSet-Cookie: sso_uname=%s;path=/;secure;samesite=None", sec_session->app_sso_info.sso_account); if (len >= buf_size) return; @@ -3708,7 +3708,7 @@ } if (sec_data->role_names[0]) { - len += snprintf(data_p+len, buf_size-len, "\r\nSet-Cookie: role_names=%s;path=/;secure;samesite=Lax", sec_data->role_names); + len += snprintf(data_p+len, buf_size-len, "\r\nSet-Cookie: role_names=%s;path=/;secure;samesite=None", sec_data->role_names); if (len >= buf_size) return; if (SEC_ISSET(site->common_flags, SEC_SETCOOKIE_HTTPONLY)) { len += snprintf(data_p+len, buf_size-len, ";HttpOnly"); @@ -3802,7 +3802,7 @@ session_id, AN_NAV_COOKIE_END); } - buffer_p += sprintf(buffer_p, ";expires=%s;path=/; secure;samesite=Lax", + buffer_p += sprintf(buffer_p, ";expires=%s;path=/; secure;samesite=None", get_GMT_time(31536000)); if (SEC_ISSET(sec_data->vsite_p->common_flags, SEC_SETCOOKIE_HTTPONLY)) { buffer_p += sprintf(buffer_p, ";HttpOnly"); @@ -14194,9 +14194,9 @@ } if (*aa_clustered == 0) { - cookie_len = sprintf(session_cookie_buffer, "%s=%s; path=/; secure;samesite=Lax", sec_cookie_session_name, found_vsite->name); + cookie_len = sprintf(session_cookie_buffer, "%s=%s; path=/; secure;samesite=None", sec_cookie_session_name, found_vsite->name); } else { - cookie_len = sprintf(session_cookie_buffer, "%s=%s; path=/; secure;samesite=Lax", ha_cookie_session_name, found_vsite->name); + cookie_len = sprintf(session_cookie_buffer, "%s=%s; path=/; secure;samesite=None", ha_cookie_session_name, found_vsite->name); } sec_generate_redirect(sec_data, "302 Redirect", SLEN("302 Redirect"), portal_temp_string, len, @@ -16540,7 +16540,7 @@ SEC_REWRITTEN_PREFIX, OAUTH_BIND_PATH); } - ret = snprintf(p, remain, "%s=%s;path=/prx/000/http/;secure;samesite=Lax;", SEC_AN_OAUTH_UID, oauth_uid); + ret = snprintf(p, remain, "%s=%s;path=/prx/000/http/;secure;samesite=None;", SEC_AN_OAUTH_UID, oauth_uid); if (ret >= remain) { ulog_error_conn(sec_data->client_conn, AMP_ULOG_SMANAGER, "OAuth oid is too long: %d", strlen(oauth_uid)); return; @@ -16558,7 +16558,7 @@ } if (sec_data->oauth_vendor) { - ret = snprintf(p, remain, "\r\nSet-Cookie:%s=%d;path=/prx/000/http/;secure;samesite=Lax;", SEC_AN_OAUTH_VENDOR_ID, sec_data->oauth_vendor); + ret = snprintf(p, remain, "\r\nSet-Cookie:%s=%d;path=/prx/000/http/;secure;samesite=None;", SEC_AN_OAUTH_VENDOR_ID, sec_data->oauth_vendor); if (ret >= remain) { ulog_error_conn(sec_data->client_conn, AMP_ULOG_SMANAGER, "OAuth vendor is too long."); return; @@ -16579,7 +16579,7 @@ if (oauth_auto_reauth) { ulog_info_default(PROXY_CONN_LOGIDX(sec_data->client_conn), AMP_ULOGF_MODULE_SMANAGER, ULOG_NO666, 85206,1,0,0,0,0,6); - ret = snprintf(p, remain, "\r\nSet-Cookie:%s=%d;path=/prx/000/http/;secure;samesite=Lax;", SEC_AN_OAUTH_AUTO_REAUTH, oauth_auto_reauth); + ret = snprintf(p, remain, "\r\nSet-Cookie:%s=%d;path=/prx/000/http/;secure;samesite=None;", SEC_AN_OAUTH_AUTO_REAUTH, oauth_auto_reauth); if (ret >= remain) { ulog_error_conn(sec_data->client_conn, AMP_ULOG_SMANAGER, "OAuth auto re-authentication flag is too long."); return;