Skip to content

Cookie chunking not working properly for longer domain names #8788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
aXtionTim opened this issue Oct 4, 2023 · 1 comment · May be fixed by #12922
Closed

Cookie chunking not working properly for longer domain names #8788

aXtionTim opened this issue Oct 4, 2023 · 1 comment · May be fixed by #12922
Labels
bug Something isn't working invalid reproduction The issue did not have a detectable valid reproduction URL triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

Comments

@aXtionTim
Copy link

Environment

  • System:
    OS: Linux 6.5 Arch Linux
  • Binaries:
    Node: 18.15.0 - ~/.nvm/versions/node/v18.15.0/bin/node
    npm: 9.6.2 - ~/.nvm/versions/node/v18.15.0/bin/npm
  • Browsers:
    Chromium: 117.0.5938.88
  • npmPackages:
    next: ^13.4.9 => 13.4.9
    next-auth: ^4.23.1 => 4.23.1
    react: ^18.2.0 => 18.2.0

Reproduction URL

http://example.com

Describe the issue

Using the Keycloak provider, I implemented the refresh token example. However, the JWT is very large, so the cookie gets chunked. I get these debug messages in development:

[next-auth][debug][CHUNKING_SESSION_COOKIE] {
  message: 'Session cookie exceeds allowed 4096 bytes.',
  emptyCookieSize: 163,
  valueSize: 5884,
  chunks: [ 4096, 2114 ]
}

Other than that, login goes fine.

When deployed to the test server (which I cannot share here, so the dummy URL), the same message appears in the logs (with debug mode turned on). However, I get a 502 response on the auth callback from the Nginx ingress. Checking the logs, I see this:

2023/10/04 07:48:29 [error] 30801#30801: *117289052 upstream sent too big header while reading response header from upstream, client: [...], server: [...], request: "GET /api/auth/callback/keycloak?state=[...]&session_state=[...]&code=[...] HTTP/2.0", upstream: [...], host: "[...]"

NB: The login goes fine, I can see in the Keycloak admin console that I am logged in, only the callback fails.
When I try to log in with a user with minimal rights (and a small JWT), the session cookie does not need to be chuncked and the login and callback go fine.

The expected culprit

In src/core/lib/cookie.ts, an estimated value is used for the empty cookie size. This empty cookie size is based on the domain example.com. The domain in reality is probably much longer. This results in chuncks for the session cookie that still exceed the 4k boundary.

The solution

Let me use an environment variable to set the domain (or use the existing env variable NEXTAUTH_URL) to calculate the empty cookie size, so the cookie chunks won't exceed the size limit anymore.

How to reproduce

  1. Create an app with a Keycloak provider
  2. Put the app in a Kubernetes cluster with an Nginx ingress
  3. Use a domain name that is longer than example.com
  4. Log in with a user with a large JWT, so the session cookie gets chunked
  5. The ingress returns a 502 response because the session cookie chunks are too large

Expected behavior

Chucked session cookies should use the current domain name to calculate the empty cookie size, not an estimate. Then the login would succeed, regardless of being chunked.
@aXtionTim aXtionTim added bug Something isn't working triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime. labels Oct 4, 2023
@github-actions github-actions bot closed this as completed Oct 4, 2023
@github-actions
Copy link

github-actions bot commented Oct 4, 2023

We could not detect a valid reproduction link. Make sure to follow the bug report template carefully.

Why was this issue closed?

To be able to investigate, we need access to a reproduction to identify what triggered the issue. We need a link to a public GitHub repository. Example: (NextAuth.js example repository).

The bug template that you filled out has a section called "Reproduction URL", which is where you should provide the link to the reproduction.

  • If you did not provide a link or the link you provided is not valid, we will close the issue.
  • If you provide a link to a private repository, we will close the issue.
  • If you provide a link to a repository but not in the correct section, we will close the issue.

What should I do?

Depending on the reason the issue was closed, you can do the following:

  • If you did not provide a link, please open a new issue with a link to a reproduction.
  • If you provided a link to a private repository, please open a new issue with a link to a public repository.
  • If you provided a link to a repository but not in the correct section, please open a new issue with a link to a reproduction in the correct section.

In general, assume that we should not go through a lengthy onboarding process at your company code only to be able to verify an issue.

My repository is private and cannot make it public

In most cases, a private repo will not be a sufficient minimal reproduction, as this codebase might contain a lot of unrelated parts that would make our investigation take longer. Please do not make it public. Instead, create a new repository using the templates above, adding the relevant code to reproduce the issue. Common things to look out for:

  • Remove any code that is not related to the issue. (pages, API Routes, components, etc.)
  • Remove any dependencies that are not related to the issue.
  • Remove any third-party service that would require us to sign up for an account to reproduce the issue.
  • Remove any environment variables that are not related to the issue.
  • Remove private packages that we do not have access to.
  • If the issue is not related to a monorepo specifically, try to reproduce the issue without a complex monorepo setup

I did not open this issue, but it is relevant to me, what can I do to help?

Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps by opening a new issue.

I think my reproduction is good enough, why aren't you looking into it quickly?

We look into every issue and monitor open issues for new comments.

However, sometimes we might miss a few due to the popularity/high traffic of the repository. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.

Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.

Useful Resources

@github-actions github-actions bot added the invalid reproduction The issue did not have a detectable valid reproduction URL label Oct 4, 2023
@github-actions github-actions bot locked and limited conversation to collaborators Oct 4, 2023
lexcao added a commit to lexcao/next-auth that referenced this issue Apr 29, 2025
@lexcao
feat(cookie): increase CHUNK_SIZE of cookie
4751d22 
There is no better way to modify the CHUNK_SIZE constant value.
I am trying to increase it directly.
Please check if it is acceptable.

fixes nextauthjs#8788
lexcao added a commit to lexcao/next-auth that referenced this issue Apr 29, 2025
@lexcao
feat(cookie): decrease CHUNK_SIZE of cookie
c3b9c4a 
There is no better way to modify the CHUNK_SIZE constant value.
I am trying to decrease it directly.
Please check if it is acceptable.

fixes nextauthjs#8788
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working invalid reproduction The issue did not have a detectable valid reproduction URL triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(cookie): decrease CHUNK_SIZE of cookie lexcao/next-auth
1 participant
@aXtionTim