[server] Add warning when a cookie's length would exceed the RFC 6265 minimum user-agent support #5634
Description
🐣 Is your feature request related to a problem? Please describe.
We had a report in aiohttp-session (see aio-libs/aiohttp-session#574) that a user submitting a 'large' cookie had the cookie dropped by the receiving browser.
According to RFC 6265 - section 6.1:
General-use user agents SHOULD
provide each of the following minimum capabilities:
o At least 4096 bytes per cookie (as measured by the sum of the
length of the cookie's name, value, and attributes).
This means that cookies that exceed 4096 bytes in storage (not transmission) have a chance that the user-agent will drop them which is a case that is hard to 'guess' for a developer.
💡 Describe the solution you'd like
A warning log should be emitted if a cookie that would exceed the RFC minimum support is created in aiohttp server.
A challenge here is the definition of 'exceed' because aiohttp knows the transmitted size but the RFC refers to (and the user-agents seem to implement) a check on the final stored size of the cookie string, including all field names and values regardless of whether they were transmitted or filled in as defaults by the user-agent.
❓ Describe alternatives you've considered
It was briefly considered implementing this check in aiohttp-session but was rejected since this is a general issue with cookies and not specific to aiohttp-session so such a check could benefit all aiohttp users.
📋 Additional context
None.