Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chunked cookies should not exceed browser max #237

Merged
merged 3 commits into from
Jun 3, 2021

Conversation

davidpatrick
Copy link
Contributor

We currently allow 96 characters leeway for cookie attribute size (browser cookie max size (4096 Bytes) minus CHUNK_BYTE_SIZE)

This is not enough for scenarios where the user provides many cookie options or longer cookie domain or path options.

Since the cookie attributes are dynamic and can be quite long, we can calculate the cookie attributes length from serializing an empty cookie with the same options and measuring it.

Same strategy as done over in auth0/nextjs-auth0#301

@davidpatrick davidpatrick requested a review from a team as a code owner May 20, 2021 20:10
@davidpatrick davidpatrick requested a review from adamjmcgrath May 20, 2021 20:10
Copy link
Contributor

@adamjmcgrath adamjmcgrath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm - just one suggested change

lib/appSession.js Outdated Show resolved Hide resolved
@adamjmcgrath
Copy link
Contributor

@davidpatrick - the tests are failing because the max header size for Node 12 is 8KB

You could up it to 16kb on the circle CI environment NODE_OPTIONS=--max-http-header-size=16384 https://circleci.com/docs/2.0/env-vars/#setting-an-environment-variable-in-a-container

Or rewrite the tests to keep the header <8KB

@davidpatrick davidpatrick requested a review from adamjmcgrath May 28, 2021 19:36
delete cookieOptions.transient;
const cookies = req[COOKIES];
const { transient: cookieTransient , ...cookieOptions } = cookieConfig;
cookieOptions.expires = cookieTransient ? 0 : new Date(exp * 1000);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this was the existing logic, but I noticed it's not correct.

If you want a session cookie expires should not be defined (it shouldn't be set to 0)

If (expires is) unspecified, the cookie becomes a session cookie. A session finishes when the client shuts down, and session cookies will be removed.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes

See nextjs-auth0 for reference https://github.com/auth0/nextjs-auth0/blob/main/src/auth0-session/cookie-store.ts#L44-L46 and https://github.com/auth0/nextjs-auth0/blob/main/tests/auth0-session/cookie-store.test.ts#L262-L271

delete cookieOptions.transient;
const cookies = req[COOKIES];
const { transient: cookieTransient , ...cookieOptions } = cookieConfig;
cookieOptions.expires = cookieTransient ? 0 : new Date(exp * 1000);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this was the existing logic, but I noticed it's not correct.

If you want a session cookie expires should not be defined (it shouldn't be set to 0)

If (expires is) unspecified, the cookie becomes a session cookie. A session finishes when the client shuts down, and session cookies will be removed.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes

See nextjs-auth0 for reference https://github.com/auth0/nextjs-auth0/blob/main/src/auth0-session/cookie-store.ts#L44-L46 and https://github.com/auth0/nextjs-auth0/blob/main/tests/auth0-session/cookie-store.test.ts#L262-L271

delete cookieOptions.transient;
const cookies = req[COOKIES];
const { transient: cookieTransient , ...cookieOptions } = cookieConfig;
cookieOptions.expires = cookieTransient ? 0 : new Date(exp * 1000);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davidpatrick I know this was the existing logic, but I noticed it's not correct.

If you want a session cookie expires should not be defined (it shouldn't be set to 0)

If (expires is) unspecified, the cookie becomes a session cookie. A session finishes when the client shuts down, and session cookies will be removed.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes

See nextjs-auth0 for reference https://github.com/auth0/nextjs-auth0/blob/main/src/auth0-session/cookie-store.ts#L44-L46 and https://github.com/auth0/nextjs-auth0/blob/main/tests/auth0-session/cookie-store.test.ts#L262-L271

Would you mind fixing it and adding a regression test? Either in this PR or another one before you do the release

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davidpatrick - actually, aplogies, ignore me - I've just tested it and I get a sessoion cookie fine - so don't worry

@adamjmcgrath adamjmcgrath merged commit 631b360 into master Jun 3, 2021
@adamjmcgrath adamjmcgrath deleted the max-chunked-cookie-size branch June 3, 2021 16:25
@adamjmcgrath adamjmcgrath mentioned this pull request Jul 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants