Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chunked cookies should not exceed browser max #301

Merged
merged 2 commits into from
Feb 18, 2021
Merged

Chunked cookies should not exceed browser max #301

merged 2 commits into from
Feb 18, 2021

Conversation

adamjmcgrath
Copy link
Contributor

Description

We currently allow 96 characters leeway for cookie attribute size (browser cookie max size (4096 Bytes) minus CHUNK_BYTE_SIZE)

This is not enough for scenarios where the user provides many cookie options or longer cookie domain or path options.

Since the cookie attributes are dynamic and can be quite long, we can calculate the cookie attributes length from serializing an empty cookie with the same options and measuring it.

References

fixes: #296

Testing

  • Set a bunch of really long claims in your session (> 2000 chars) using the afterCallback hook

  • Specify a bunch of cookie options that will exceed 96 chars (eg a long cookie domain/path)

  • Login (you'll need to login on the same domain/path) and check the Size of your chunked appSession.{n} cookies in Chrome Devtools > Application > Cookie

  • They should not exceed 4095 (Chrome Devtools doesn't inlclude the =)

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not main

@adamjmcgrath adamjmcgrath requested a review from a team as a code owner February 18, 2021 11:45
@vercel
Copy link

vercel bot commented Feb 18, 2021

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/auth0/nextjs-auth0/kj9jqhicz
✅ Preview: Canceled

@adamjmcgrath adamjmcgrath changed the title Cookie chunk size should be browser max minus cookie attribute length Chunked cookies should not exceed browser max Feb 18, 2021
@adamjmcgrath adamjmcgrath added the review:medium Medium review label Feb 18, 2021
panva
panva approved these changes Feb 18, 2021
View reviewed changes
Copy link
Collaborator

@panva panva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, the same should be applied to express-openid-connect as well i assume.

@adamjmcgrath adamjmcgrath merged commit 8fa0230 into main Feb 18, 2021
@adamjmcgrath adamjmcgrath deleted the cookie-chunk-length branch February 18, 2021 12:01
@adamjmcgrath adamjmcgrath mentioned this pull request Feb 24, 2021
Merged
@davidpatrick davidpatrick mentioned this pull request May 20, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@panva panva panva approved these changes

Assignees
No one assigned
Labels
review:medium Medium review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set-Cookie exceeds CHUNK_BYTE_SIZE=4000
2 participants
@adamjmcgrath @panva