Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

Oversize Cookie Alert #346

Merged
merged 1 commit into from
Mar 29, 2017
Merged

Oversize Cookie Alert #346

merged 1 commit into from
Mar 29, 2017

Conversation

bdwyertech
Copy link
Contributor

Cookies cannot be larger than 4kb

It took me a long while to debug this, no one else should ever have to.

This issue showed face whilst attempting to add refresh_token support to the Azure provider, which uses pretty large tokens.

With all the padding and what not, I was hitting 4264 bytes, which was simply triggering the alert:
Cookie "oauth2_proxy" not present

Cookies cannot be larger than 4kb
@bdwyertech
Copy link
Contributor Author

bdwyertech commented Feb 23, 2017

@thenewwazoo you might want to take this into consideration in your Azure implementation.

Even without any groups (like you've added to the cookie), the combination of access_token and refresh_token alone make the resulting cookie too large.

I've been dabbling with refresh_token support on my branch https://github.com/bdwyertech/oauth2_proxy/tree/bdwyertech

@thenewwazoo
Copy link

Yeah, exploding cookie size was something I expected given that there are instances when a user in our org can be a member of literally hundreds of groups. The various filtering mechanisms were an attempt to corral that. I haven't yet encountered a scenario where cookie sizes get too big without groups, but I also haven't been tracking their actual size.

I'm tempted to bust group information out into an entirely separate cookie.

@jehiah jehiah merged commit 107b481 into bitly:master Mar 29, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

Successfully merging this pull request may close these issues.

3 participants