Set-Cookie exceeds CHUNK_BYTE_SIZE=4000

[indiejoseph]

Description

We've just upgraded our project to v1.0.0, and it working fine on local environment with env variables:

AUTH0_SESSION_NAME=ec
AUTH0_COOKIE_DOMAIN=localhost
AUTH0_COOKIE_TRANSIENT=false
AUTH0_COOKIE_HTTP_ONLY=true
AUTH0_COOKIE_SECURE=false
AUTH0_COOKIE_SAME_SITE=lax

However, when the project deployed on Vercel with production environment variables, the callback not able to Set-Cookie, there show Invalid cookie on Chrome browser, and I counted the length of Set-Cookie was exceeded CHUNK_BYTE_SIZE=4000 :

ec.0=eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaWF0IjoxNjEzNTQ3MzYyLCJ1YXQiOjE2MTM1NDczNjIsImV4cCI6MTYxMzYzMzc2Mn0..LWCs2X0_DaeTtAzr.5iWw2xVITMDVC22DBB5a6d-UifHVDd5f4mJv76_5o29L4kfM8mN7mj4kYoJgqhh0XyKf45Cyiyw6AVBxLNHAQ4FA3VnXEQPppdinYan4eH2u1cxBY_UF6OdsF4EI4GKBieVvuBhA-tVRyBW3TTkM7FojNT-29CwdgD48Ku_yX5NXeN22MGWum4M8KOtya1tYv83GGPD0y4ljWy5KBn29y29Qj1k_YeIQRS5_Mmfh3o3vkPhYMq9UJyxsm1HZzMDz8MawMdcGvrjWVQgaF-wlWfmTkW77h22I2wToAYRYOcVWMcA4Oeqqt0sPKUeF-gqpi2r0S7AA3iLazohwyvZKnx9vCdAbMXVayGmDQCugN6snrzC2y-lsSEi2PlwNgC5Eu5w4Y8rAtH0k-Suan6f5XQUA9aOoQDvChIPjWhuQfQrywAnGYg_tHnjtgTt7GHJMqfmZG7sCkZAPYU31N7H_P9-mexfei0Qcz_tXeRaEb_uqwLJikfw4x7lT10FVByuJZsHvUus6HUUIM680g7vgRkv0N0nXiqQtszXPrptU570BZDapjWA4jh5RC81Ws2koITnnW_9sYGfmF8zNgupv4goxyaVgvQDFg5fUS7ar6N_Ji09AJM5Euf2CP6uoZO16iTzgZK_hgfbe078smo2TtH5BJgMygF8xhMa_J45MiXrol9VTgzVwXKlJ6saytyJdfdt6YX6csuq5zQ2Ncnb4vMCduxMFqMWwCjSIfcnzDw7ms6dzqATUpHdRsBO5GMKfBSvwm0eRjqcAvLLoMB0JiS77GdwCzFy-V0xc6kj9_iQOEUvagpwwruVJamdMciDQg4Ay9Wk2VLogpO_iSMNXuDBDvtRD-FHtrns-hakmlvaQxx7hiFYmgV7ao8O1vYjcB5OUokcMxu3vP2vP57ZsKnUdlT4rb8BBnYhxNk8EQfUw-yNMBcO_OYIHMo7Uy9s4EAarsXvxEZgmxMXcMAW-MY7QMNCPIM18jYc2c6Vd8D6LvwpzEVK3E-57-AnSLvv24w0ai_AsUswfisUnf_WP1zJSkRdxAvepGAHFzNCHYu9bbOmeiIJF8QnEmsrtNHYczmW5KVAgjpokZ-VBSv7-fdBm5aPT3-YXGch-xHB6PlERmRIz4Zvxekwum1uV_QStZAfTMl9_jzOLcZqCA05Orb2RCOo-yISMWDMuDwV8xYN1vYcDxNs3eecWPqf0FLStNHxbkwkYJmtX44RhON4RPVOZtyRxDLDdxCEIX4rHab7RDdCpjW7vulh_2ANRxtu7v3YRuP6_qZ_lXFqpucmnswKevMZ6gTq1VUUtWSPyKwfwmjaotdLjJeS9foXUh-iBmXQWo2jqEEvIpsjWprPRVUE1mjnw5rlRz2qxmQcM63mQOz9CguxZCmKbRSu3v5zTvs2GP2C2WU480kUTx1Sms5D_bPuhZxSqIslyqMDwrjhAO_eQotCBfTGbAVnz0ZrBGv0JG8qXZPbSRwrziIGgp0zyF0os9ueEyVBPzoqWKdL8N2axqZhIgBIMEU3vbuEH8vSIeWCMhONLUNSjWjRY2ogCKDKsRWn6ey2AXMJlzFS_tYzyADKXrIUrNPnX9_xI3Bq42xhM2x9bW4mxqz-bdAXaIylvhrYUT3JHgVUAnXM6xqSlGBawToTGuDF2s_qdmHJSB0wgRXVZYdooImCCejvczu0Y4pfPuWDSwvr43VsPz0r-pFhJXnbiTsfrYAVyf-AlxruBUR1ycUt1tziX2EGAwbI1ksVwzxnBnYTL3pTaHUmYZiDvKeA4wqcu_aM5W3WTvHTCvsIUT_CMJ6J8HahR0QyMORhMcJasBpKfCoydJP5PHlJqPY7-X8H_yumHoVgzxdw7tD_NkwWcMkJrHaKeq50iSOlTUlJX3A7NLc_dBm8OMjiZHSX9hgu2yPrpZq2YbunpGeyz9wz4IP9I2yWmnzX61GTysQpo8VIY2iQlGNi6XRe_3EocjERuH4Mk3nO7VnfuUL825mXRThGN2FDVtTyqTlRRU6yZTRsGecdCw_SvXc7C7s0gzwROlGMsDpXPxKgHzLtZ0eoJ0m2zuSXhAw_NirXXCJn1PDXMP7CnF4siVbT3PyGsKtNOWL61OiHFRQ6TCbmEMkGexDG8iHgueHes6RZJeIW7F5N8ZHKd4FlThOlFFRigBQI0n3fO8aTkDDsN1t-cJ1W0vMNVsvjHLSuNxMogs3iMyDI_2YD2XmQGvge3CuUZCjmBRuVT52nzwHyIPa6Fr3vBlHwq3sm0R00ay0B8EzG4wIf6BjA0c_AVHkMaJ48hKCmGP0J-IHq27f_92pSS-GjVzph8pu_CX4l7FN6KR-4D0gXNT_VhcLglKByO2hoVb3TqxYZ68D3vq7pkCt2c8Wgatz4FqXhOsg3YYYhmfCitzIi9nIFS5xwM4cJV5jzvXZjVSldj4ad4M6xbyIKrAPHiSp869ruYCeHaj6L_y7IztO_11ncJovsjesEhe9M42sSywrhdv2zPdrEOuxg7tr68cVQp6mkwe5R8keAnHBfz0eSNDFkwkXwugv5mJBQmbzHmDtBfcvYRoiNeCMwHiji8JDlYN48cWOoyFqvyNIdaG80xk1upLoaPCkeTT3ZTjmvsK-Kh4t_bTyByIIbtCYalD877NOUU1utqqYWEgjQIpXR4kj6ibD5zFQaU_RLmGdCaztcvid2wBDOXpTYblhzr9gEZMvA6tz24Ip0mFggcGzgepDJ_ThC-QZ6kl85I4p_pj11eRCCwbZJcAehRkdBqhe3oSjL_yi3BCsI8C3-7XBfPHuO8l8sW6aeR1JCmkjm7XuWTS6SPd0dbtytshV1zm3-DBERrmFkMQD8IHKA2eIAeGPPr5jg_OtMkmmx9TaKd-RITl-DyKucV378n4hgZ6gKzD52Aua_HU-g6xAa88BICc7sI-VkhYfdG4wKxu16UoPWLIZvm30gQyawto9Z7UQQbmJ6dJC_SOArAXsWEcsQcErzpKPxVP5HzoMPzEQTuCkKoftfyCBBMbW79KOpkz_YUvkzWmgxPFiXIHj4vd3ftATLaZJudOXgbwqgmF_s-LxWOpp5Ci5rQDudKDlbQTzM4sqSJ7e5KEE3cvVg_dkQtF2Gu5yZP1VMraVq92EtdruSP_xu1orKok0yb6OPgLoTVzn111e8ifqKvhmR1oanODyquACXUs7xnqOFY8iulwaqkWE9oxCGOmfPekO7Et1ekHPI64vZJltEBCABPpwjPnEt6M5jdW6AR_g7CPZBGxBWmmZu2l_e-_159XGetcai0dKcqXgL93ZFqBeVw-PAriD9NZuDtBRgQV14e7gPeKP0P3s5wntRRwzbMpk_Z06JWBSAhdSOGI_HS0A0Mzh3-21Bs5bvktgMAm-rSvvz83eUFvAmGa7RwTFyC0kz6uxFcmvdnAo2bH3xkxOF1yZjyusXIxzVOu3aIQ__5eXeR_3msxjJx0aE5P6qBCV23kpMI7kFlUvUFH4_8EJwQFMAen-_pf9-jh2dKKt_w_6xFJUBM1PMIK2EbcvbXIKt4OIGTAUsZz0aLR4TFYmS30nPVue0m7cOCraO3R8-wTpJrUWmt7IYftszGh49pxV9NOceQnOicbVxnrPjclTg3_t0zaZcAVf35zhtKUf-vBzdzup4HUUM97qimJDZqaGzdw2BZz9Ef6v6prAuYeMooSO-2C92JYCYDNGKwF9Wq8206jkvHqzNh1kZgfUbcOYML-Qmmh0W_he_hWiMVp9DtAgU_CtIctUNLIH_dmRO371JQLIDyu_U7Pwx3vctN2hcHFrMEFbQ3Sro5VcqmWVsNrgnWWOa6l3Irs5Lf32BjborcVextb8KHruBcQ755EQPUiIubKuUAbB1uAW-oyx; Domain=.yourevercare.com; Path=/; Expires=Thu, 18 Feb 2021 07:36:02 GMT; HttpOnly; SameSite=Lax

This issue caused by the chunking function, Set-Cookie including session chunk and cookie attributes, but the chunking logic was only take account to the session value length.

Reproduction

Just like the example with the env variables below:

AUTH0_SESSION_NAME=ec
AUTH0_COOKIE_DOMAIN=.abc.com
AUTH0_COOKIE_TRANSIENT=false
AUTH0_COOKIE_HTTP_ONLY=true
AUTH0_COOKIE_SECURE=true
AUTH0_COOKIE_SAME_SITE=strict

Environment

Version: v1.0.0
Chrome: 88

[adamjmcgrath]

Thanks for raising this @indiejoseph - let me investigate this and get back to you

[adamjmcgrath]

Hi @indiejoseph - yep as you point out, the reproduction example creates the following cookie:

'ec.0=[... a 4kb string ...]; Domain=.abc.com; Path=/; Expires=Thu, 18 Feb 2021 07:36:02 GMT; HttpOnly; Secure; SameSite=Strict;'

Which, minus the value, is 105 ASCII characters (= 105 Bytes). So with the value of 4KB - this becomes 4105 Bytes, which goes over the 4096 Byte limit in Chrome.

I'll raise a PR shortly to reduce the Chunk size (or possibly try and take the cookie property's length into account)

[indiejoseph]

Yes, i think take the cookie attribute's length into account would be better, coz the path and domain length is arbitrary