-
Notifications
You must be signed in to change notification settings - Fork 351
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookies set by oauthOidc -filters are occasionally too big #1089
Comments
@szuecs yes I will assign the issue to myself |
Looks like we are hitting the same issue |
It would be nice to have a test bed here, such that we can fix it more easy. @universam1 Do you want to work on a fix for the oidc filter? Not sure if splitting the cookie or if gzip the cookie content could help. Split would be a fix that clearly works. What do you think? |
Chrome says "Malformed Response Cookies: This set-cookie had invalid syntax" Example truncated:
|
I am happy to review your pr or if you need guidance let us know! |
Ok sounds good- is there any policy or suggestions from your side that would be valuable to know for an acceptable implementation? |
Normal Go style, tests that show the problem and that your fix work. Simple is better. :) I guess, you will add a function, that checks cookie content size, gzip if too big, split into chunks of |
This solves a cookie size overflow issue zalando#1089 where at some point the cookie is not accepted by the browser due to its size * adding a `chunkCookie` function that splits an existing cookie based on limits defined at `cookieMaxSize` * the value of `cookieMaxSize` is taken by well-known projects and verified with Chrome * the approach is `non-deterministic` as the signature of cookies might change over time * mergerCookies return a single (virtual) cookie, ordered by the suffix Signed-off-by: Samuel Lang <gh@lang-sam.de>
* adding OIDC Cookie chunk and merge functions This solves a cookie size overflow issue #1089 where at some point the cookie is not accepted by the browser due to its size * adding a `chunkCookie` function that splits an existing cookie based on limits defined at `cookieMaxSize` * the value of `cookieMaxSize` is taken by well-known projects and verified with Chrome * the approach is `non-deterministic` as the signature of cookies might change over time * mergerCookies return a single (virtual) cookie, ordered by the suffix Signed-off-by: Samuel Lang <gh@lang-sam.de> * implementing cookie chunks for OIDC * leveraging the `chunkCookie` and at the response `mergerCookie` to split the data into valid chunks * switching serialization to Base64 instead of Base16 since it reduces the transaction data by 33% and is considered common practice. It does not influence other cookies of Skipper Signed-off-by: Samuel Lang <gh@lang-sam.de>
Thanks @universam1 your PR triggered the release: https://github.com/zalando/skipper/releases/tag/v0.11.30 |
This is the second part follow up of zalando#1089 to properly deal with large JWT token and cookies. Tests showed that compression on the cookies pays off from >200 bytes payload which is granted. Leveraging `sync.Pools` that provide safe parallelization and by reusing the writer also less memory footprint, benchmarks included. `Deflate` compression is chosen after tests with similar algorithms, providing the best balance of simple implementation, speed and ratio. Signed-off-by: Samuel Lang <gh@lang-sam.de>
This is the second part follow up of zalando#1089 to properly deal with large JWT token and cookies. Tests showed that compression on the cookies pays off from >200 bytes payload which is granted. Leveraging `sync.Pools` that provide safe parallelization and by reusing the writer also less memory footprint, benchmarks included. `Deflate` compression is chosen after tests with similar algorithms, providing the best balance of simple implementation, speed and ratio. Signed-off-by: Samuel Lang <gh@lang-sam.de>
This is the second part follow up of zalando#1089 to properly deal with large JWT token and cookies. Tests showed that compression on the cookies pays off from >200 bytes payload which is granted. Leveraging `sync.Pools` that provide safe parallelization and by reusing the writer also less memory footprint, benchmarks included. `Deflate` compression is chosen after tests with similar algorithms, providing the best balance of simple implementation, speed and ratio. Signed-off-by: Samuel Lang <gh@lang-sam.de>
This is the second part follow up of zalando#1089 to properly deal with large JWT token and cookies. Tests showed that compression on the cookies pays off from >200 bytes payload which is granted. Leveraging `sync.Pools` that provide safe parallelization and by reusing the writer also less memory footprint, benchmarks included. `Deflate` compression is chosen after tests with similar algorithms, providing the best balance of simple implementation, speed and ratio. Signed-off-by: Samuel Lang <gh@lang-sam.de>
This is the second part follow up of #1089 to properly deal with large JWT token and cookies. Tests showed that compression on the cookies pays off from >200 bytes payload which is granted. Leveraging `sync.Pools` that provide safe parallelization and by reusing the writer also less memory footprint, benchmarks included. `Deflate` compression is chosen after tests with similar algorithms, providing the best balance of simple implementation, speed and ratio. Signed-off-by: Samuel Lang <gh@lang-sam.de>
Describe the bug
oauthOidc* -filters like oauthOidcAnyClaims set a cookie from the client. The cookie size reaches easily the maximum size that the browsers accept (4096 bytes on Chrome?) causing the cookie to be dropped. With a basic OIDC setup e.g. with Keycloak, the size of the cookie easily reaches 5100bytes.
To Reproduce
Callback request sent after successful authentication to oidcp
Response headers:
Expected behavior
The cookie(s) fit to browsers. E.g. the big ones are split into smaller cookies and merged when read. As an example keycloak-gatekeeper, which acts in a similar role from OIDC point of view splits the big cookies into smaller ones https://github.com/keycloak/keycloak-gatekeeper/blob/master/cookies.go
Observed behavior
Cookies are rejected by Chrome, Safari due to too big size.
The text was updated successfully, but these errors were encountered: