Skip to content

Cookie chunking not working properly for longer domain names #8788

New issue
New issue
Closed
#12922
Closed
Cookie chunking not working properly for longer domain names#8788
#12922
Labels
bugSomething isn't workinginvalid reproductionThe issue did not have a detectable valid reproduction URLtriageUnseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
@aXtionTim

Description

@aXtionTim
aXtionTim
opened on Oct 4, 2023

Environment

  • System:
    OS: Linux 6.5 Arch Linux
  • Binaries:
    Node: 18.15.0 - ~/.nvm/versions/node/v18.15.0/bin/node
    npm: 9.6.2 - ~/.nvm/versions/node/v18.15.0/bin/npm
  • Browsers:
    Chromium: 117.0.5938.88
  • npmPackages:
    next: ^13.4.9 => 13.4.9
    next-auth: ^4.23.1 => 4.23.1
    react: ^18.2.0 => 18.2.0

Reproduction URL

http://example.com

Describe the issue

Using the Keycloak provider, I implemented the refresh token example. However, the JWT is very large, so the cookie gets chunked. I get these debug messages in development:

[next-auth][debug][CHUNKING_SESSION_COOKIE] {
  message: 'Session cookie exceeds allowed 4096 bytes.',
  emptyCookieSize: 163,
  valueSize: 5884,
  chunks: [ 4096, 2114 ]
}

Other than that, login goes fine.

When deployed to the test server (which I cannot share here, so the dummy URL), the same message appears in the logs (with debug mode turned on). However, I get a 502 response on the auth callback from the Nginx ingress. Checking the logs, I see this:

2023/10/04 07:48:29 [error] 30801#30801: *117289052 upstream sent too big header while reading response header from upstream, client: [...], server: [...], request: "GET /api/auth/callback/keycloak?state=[...]&session_state=[...]&code=[...] HTTP/2.0", upstream: [...], host: "[...]"

NB: The login goes fine, I can see in the Keycloak admin console that I am logged in, only the callback fails.
When I try to log in with a user with minimal rights (and a small JWT), the session cookie does not need to be chuncked and the login and callback go fine.

The expected culprit

In src/core/lib/cookie.ts, an estimated value is used for the empty cookie size. This empty cookie size is based on the domain example.com. The domain in reality is probably much longer. This results in chuncks for the session cookie that still exceed the 4k boundary.

The solution

Let me use an environment variable to set the domain (or use the existing env variable NEXTAUTH_URL) to calculate the empty cookie size, so the cookie chunks won't exceed the size limit anymore.

How to reproduce

  1. Create an app with a Keycloak provider
  2. Put the app in a Kubernetes cluster with an Nginx ingress
  3. Use a domain name that is longer than example.com
  4. Log in with a user with a large JWT, so the session cookie gets chunked
  5. The ingress returns a 502 response because the session cookie chunks are too large

Expected behavior

Chucked session cookies should use the current domain name to calculate the empty cookie size, not an estimate. Then the login would succeed, regardless of being chunked.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinginvalid reproductionThe issue did not have a detectable valid reproduction URLtriageUnseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions