-
-
Notifications
You must be signed in to change notification settings - Fork 232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie is too large #643
Comments
This is a known issue with cookies that they have a size limit. You can create your own cookie storage driver for the auth-helpers and handle cookie chunking in it. We had something we were working on to handle the chunking but we had issues in Safari. |
Can you point me in some direction on how to do this @silentworks? |
@silentworks I see that this has now been merged, thank you for fixing it. But how do I use it, my current code is the same as is the same as in the tutorial -> https://supabase.com/docs/guides/auth/server-side/creating-a-client?framework=sveltekit What do i need to change, update in order to get this to work? |
@tobiassern the update you saw here was related to |
@silentworks thank you for the update, looking forward to the updated guides. |
@tobiassern updated guides are now published. |
Hello guys, I've implemented the chunking as described in the new documentation and updated my package to 0.0.8. But it seems now the logout action doesn't actually log out the user anymore. Does someone else encounter the same issue or is this something on my end? I believe this issue is related/possibly the same. Since I now have 2 cookies with undefined living in my cookie storage at all times. Even when logged out. |
@mattiasbonte there was a bug in |
Hey @silentworks, I've downloaded the update and did a full test and now I see the But the logout functionality is still broken. The thing is, when the |
@mattiasbonte you will need to create a reproducible example of this as I've tested this on my side and cannot replicate this issue. |
You can have this code in the /**
* Supabase Client Side (Browser) Client.
* @info The server side client lives in `hooks.server.ts`
*/
const supabase = createBrowserClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, {
global: {
fetch,
},
cookies: {
get(key) {
if (!isBrowser()) {
return JSON.stringify(data.session);
}
const cookie = combineChunks(key, (name) => {
const cookies = parse(document.cookie);
return cookies[name];
});
return cookie;
},
},
});
// should directly sign the user out after instantiation?
await supabase.auth.signOut();
// but nothing happens. @silentworks So when I use the supabase Does the signout action works on both your browserClient and serverClient? If yes, I will have to dig deeper. |
@mattiasbonte That is not how you would write a signout with the library. Please provide a reproducible Github repo, the snippets you are providing doesn't make much sense to someone else who doesn't have context of your project. Also you should probably create a new issue as this is no longer related to this original issue here. |
export const createSupabaseRouteHandlerClient = (anon: boolean = true): SupabaseClient<Database> => {
const cookieStore = cookies()
return sbSSR.createServerClient<Database>(
env.NEXT_PUBLIC_SUPABASE_URL!,
anon ? env.NEXT_PUBLIC_SUPABASE_ANON_KEY! : env.SUPABASE_SERVICE_ROLE_KEY!,
{
cookieOptions: getCookieOptions(),
cookies: {
get(name: string) {
return cookieStore.get(name)?.value
},
set(name: string, value: string, options: sbSSR.CookieOptions) {
console.log("cookie length", value.length)
cookieStore.set({ name, value, ...options })
},
remove(name: string, options: sbSSR.CookieOptions) {
cookieStore.set({ name, value: '', ...options })
},
},
}
)
} cookie length in chunk is 3143 But after encoding in Set-Cookie header value length is 4262 |
@dvvolynkin it would be useful to see the content your |
export const getCookieOptions = (): sbSSR.CookieOptions => {
const hostname = new URL(env.NEXT_PUBLIC_APP_URL).hostname;
const isHostSecure = env.NEXT_PUBLIC_APP_URL.startsWith('https://');
const twelveMonths = 60 * 60 * 24 * 30 * 12;
return {
domain: hostname,
path: '/',
secure: isHostSecure,
sameSite: 'none',
maxAge: twelveMonths
};
}; |
Ive made the changes posted in the guide here: eg added: import { combineChunks, createBrowserClient, isBrowser, parse } from '@supabase/ssr' however, get: The requested module '...@supabase_ssr.js?v=3acaaab5' does not provide an export named 'combineChunks' |
Sorry. Got it, 0.0.9 |
Im having the same exact issue. IM using the SSR package 0.0.10, and Sveltekit 2.0.0. While authenticating with Facebook and Magic Link I get a 500 Internal error and "Cookie "sb-******-auth-token.1" is too large, and will be discarded by the browser. I tried the combineChunk method, but didn't work. |
Got same issue as well. For us, we were setting avatar_local="server.com/v1/storage/etc/etc/uuid/img_name_is_really_long_for_some_random_reason_prob_ai_gen_image.webp?width=200 I noticed when a person uploads a large name image for their avatar, once we set the avatar_url in their user_info, login no longer worked. I think the chunks being made didn't account for large key:value items in the raw user metadata? Temp solution until chunking is improved. Avoid large key:value in the user data you save, and avoid saving lots of user data. |
Same issue here. Any update on the issue? |
Until the chunking is fixed I found a way around this by gzipping the chunk values like this in the setter:
and in the getter the reverse:
This seems to make them short enough to work for me, YMMV. |
Same issue trying the PKCE email and oauth flows with Supabase SSR. Any update? Thanks! |
@thibistaken which version of |
I just upgraded from |
Am I right in assuming that we need the chunking only because we store so much stuff in the cookies, much of it redundant information? Wouldn't it be enough to store only the access token and refresh token? All the other info can be derived from that server-side? |
Thank you for this, I had been struggling with Google OAuth not working for hours, once I narrowed it down to a cookie-setting issue (the cookie was too large)... I came across this issue... A |
Currently, this issue still exists even with latest supabase-js and supabase-ssr. |
Following up mb21's earlier comment, is there an ability to configure/whitelist claims that go to the client (and therefore the cookie) to a minimal set, so that it is present in postgres for use, but not emitted to the client? Size aside, some of the information in that cookie might test the boundaries of what GDPR would consider "strictly necessary." |
I have a socketio setup that connects to a python server which uses websockets. Apparently there's a hard limit of cookie size in header (8k) and my client keeps getting disconnected because of the large auth tokens created by supabase auth. Really hope there's a way to reduce the size. |
We are having the same issue with supabase/ssr. This not only breaks Nginx default config but also breaks Cloudflare. Some users have 2 chunks, some have 4. Even 2 chunks is dangerously close to standard header size limit when combined with other mid-sized cookies. |
This seems to be a consistent issue. Why don't you store just the |
I'm using Nuxt, and I've just gone through and updated all my project dependencies to the latest version. Seems to match @yekta's issue, and this is all on the latest versions of packages. EDIT: This is now a pretty critical issue for me, as it seems both Cloudflare and my NGINX reverse proxy are trashing requests with a cookie that is too long. |
Same issue here. Nextjs just stops processing requests. |
Same happens to me here. Vercel middleware is fully discarding all requests - there's too much data across all cookies combined and Vercel just discards the request |
Bug report
Describe the bug
I have a SvelteKit app that uses the latest
await supabase.auth.exchangeCodeForSession(code);
auth logic with Azure as the provider and everything works fine. However, if I attempt to expand my "scopes" withoffline_access
to get the provider_refresh_token, I get the following error:As soon as I remove
offline_access
, it works. It seems that too much data in put into the same cookie.Expected behavior
Maybe an option to have the provider details in a separate cookie or somehow be able to control how the session is stored in one or more cookies. The current implementation makes it impossible to get a hold of the provider_refresh_token, which is critical for our implementation.
The text was updated successfully, but these errors were encountered: