Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multi-part UI cookies #20787

Merged
merged 5 commits into from
Feb 22, 2024
Merged

Support multi-part UI cookies #20787

merged 5 commits into from
Feb 22, 2024

Conversation

wendigo
Copy link
Contributor

@wendigo wendigo commented Feb 21, 2024
edited
Loading

If cookie value exceeds 4096 bytes (which is a limit for most of the browsers) it will be splitted into multiple cookies and then imploded on read.

Release notes: Fix UI authentication for large authentication tokens

@cla-bot cla-bot bot added the cla-signed label Feb 21, 2024
@wendigo wendigo mentioned this pull request Feb 21, 2024
Merged
@wendigo wendigo force-pushed the serafin/cookie-size-limit branch from 4db6391 to 0d3c8f5 Compare February 21, 2024 13:23
Praveen2112
Praveen2112 reviewed Feb 21, 2024
View reviewed changes
Copy link
Member

@Praveen2112 Praveen2112 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question on extending this to other cookies created/used by Trino as well.

core/trino-main/src/main/java/io/trino/server/ui/OAuthIdTokenCookie.java Show resolved Hide resolved
@wendigo wendigo force-pushed the serafin/cookie-size-limit branch 3 times, most recently from ee89027 to 1a37953 Compare February 21, 2024 20:36
Praveen2112
Praveen2112 approved these changes Feb 22, 2024
View reviewed changes
Copy link
Member

@Praveen2112 Praveen2112 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a security expert, I would like to see @dain or @lukasz-walkiewicz review as well.

core/trino-main/src/test/java/io/trino/server/ui/TestMultipartUiCookie.java Show resolved Hide resolved
core/trino-main/src/test/java/io/trino/server/ui/TestMultipartUiCookie.java Show resolved Hide resolved
@wendigo wendigo force-pushed the serafin/cookie-size-limit branch from 1a37953 to dd5a49a Compare February 22, 2024 11:06
@wendigo wendigo force-pushed the serafin/cookie-size-limit branch from dd5a49a to ecc1e61 Compare February 22, 2024 13:54
@wendigo
Support multipart UI token cookies
fba3819 
When cookie name+value length exceeds 4096 bytes, it is silently rejected by most of the browsers
per https://datatracker.ietf.org/doc/html/rfc6265#section-6.1.

Since we don't control access & refresh token lengths and encryption scheme, we need to split
value and set/remove multiple cookies in such cases.
@wendigo wendigo force-pushed the serafin/cookie-size-limit branch from ecc1e61 to fba3819 Compare February 22, 2024 15:38
@wendigo
Copy link
Contributor Author

wendigo commented Feb 22, 2024

Just reworded last commit message.

@wendigo wendigo merged commit 386a3d4 into master Feb 22, 2024
3 of 13 checks passed
@wendigo wendigo deleted the serafin/cookie-size-limit branch February 22, 2024 15:38
@github-actions github-actions bot added this to the 440 milestone Feb 22, 2024
@colebow colebow mentioned this pull request Feb 23, 2024
Merged
@hashhar hashhar mentioned this pull request Nov 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukasz-walkiewicz lukasz-walkiewicz lukasz-walkiewicz left review comments

@Praveen2112 Praveen2112 Praveen2112 approved these changes

@electrum electrum Awaiting requested review from electrum

@dain dain Awaiting requested review from dain

@kokosing kokosing Awaiting requested review from kokosing

Assignees
No one assigned
Labels
cla-signed
Milestone
440
Development

Successfully merging this pull request may close these issues.
3 participants
@wendigo @Praveen2112 @lukasz-walkiewicz