Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

session cookie value is exceedingly long and fails Set-Cookie with invalid syntax #142

Closed
my3sons opened this issue Aug 4, 2020 · 2 comments
Closed

session cookie value is exceedingly long and fails Set-Cookie with invalid syntax #142

my3sons opened this issue Aug 4, 2020 · 2 comments
Labels
question

Comments

@my3sons
Copy link

my3sons commented Aug 4, 2020

Hello,

We are deploying an Express app on Node 12.18.2 and this app is deployed in a docker container and running on OpenShift. When we deploy that container to our lower environments everything works fine, however when we deploy the app to our production cluster the session cookie is not getting set and what I am seeing is the following:

`Server: Apache/2.4.6 (Red Hat Enterprise Linux)
Set-Cookie: session=eyJub3dJbk1pbnV0ZXMiOjI2NjA4MDc1LCJjbGFpbXMiOiIlN0IlMjJmaXJzdG5hbWUlMjIlM0ElMjJDYXJleSUyMiUyQyUyMmFpZCUyMiUzQSUyMmE2NjA3MDklMjIlMkMlMjJncm91cHMlMjIlM0ElNUIlMjIqQWNjZW50dXJlJTIwQXBwRGV2JTIyJTJDJTIyKkFwcGxpY2F0aW9uJTIwQXJjaGl0ZWN0dXJlJTIyJTJDJTIyKkJCVEclMjBWaXJ0dWFsJTIwRXN0aW1hdG9ycyUyMiUyQyUyMipDRUQlMjIlMkMlMjIqRFRULUFsbENvbnRpbmdlbnRXb3JrZXJzLUFsbExvY2F0aW9ucyUyMiUyQyUyMipFQSUyME5PVyUyMiUyQyUyMipFQUFTJTIwLSUyMEJ1c2luZXNzJTIwQ2FwYWJpbGl0aWVzJTIyJTJDJTIyKkVtZXJnaW5nJTIwUGxhdGZvcm0lMjBDb21tZXJjZSUyMEFQSV9tRG90X1RhYmxldCUyMFN0YXR1cyUyMiUyQyUyMipFbnRlcnByaXNlJTIwU2VydmljZSUyMFBsYXRmb3JtJTIyJTJDJTIyKkVTUFByb2R1Y3RUZWFtJTIyJTJDJTIyKkZhc3QlMjBCaXptYW4lMjBVc2VycyUyMiUyQyUyMipJUy1BRCUyMENoYW5uZWxzJTIwRG90Q29tJTIwQUNOJTIwU3ZjcyUyME9uJTIyJTJDJTIyKklULkFDTi5BcmNoaXRlY3R1cmUlMjIlMkMlMjIqTUNDUCUyMFNlYXJjaCUyMiUyQyUyMipNQ0UlMjBPbi1TaG9yZSUyMiUyQyUyMipNQ0UlMjBUZWNobm9sb2d5JTIwR292ZXJuYW5jZSUyMiUyQyUyMipQVUFNLXVzZXJzJTIyJTJDJTIyKlRlYSUyMExlYWYlMjBVc2VycyUyMiUyQyUyMl9VUy1BbGwtQ29ycC1Vc2VycyUyMiUyQyUyMn5EZWxCQlktVS1oaXBjaGF0LXVzZXJzJTIyJTJDJTIyQWNjZW50dXJlSW50ZWdyYXRpb25UZWFtJTIyJTJDJTIyQXJjaGl0ZWN0cy1DVyUyMiUyQyUyMkFaLUVudFNhbmRib3hTdWItQkJZLUFHNC1BS1MtU2FuZGJveC1SRy1VU0MtQ29udHJpYnV0b3IlMjIlMkMlMjJCQlklMjBBTE0lMjBVc2VycyUyMiUyQyUyMkJCWS1DbGVhbkJvYXJkJTIyJTJDJTIyQkJZLUNsZWFuQm9hcmQtSU5UJTIyJTJDJTIyQkJZLUNvcnBvcmF0ZS1Db250cmFjdG9yc1N1YjQlMjIlMkMlMjJCQlktRVNQLUFETUlOJTIyJTJDJTIyQkJZLUlDUi1ERVYlMjIlMkMlMjJCQlktTUZBRW5hYmxlLVVTQ29ycCUyMiUyQyUyMkJCWS1SLUNTMDFDT1JQLUFQUFMuQ29ycC5JUy5EZXB0LkFwcHMuVGVjaEFyY2gtRlAtQyUyMiUyQyUyMkJCWS1SLUNTMDFDT1JQLUZpbGVzLkNvcnAuSVMuOTQwMTUwLlJFUy5QVkNTLVJPLUZQLVIlMjIlMkMlMjJCQlktUi1DUzAxQ09SUC1GaWxlcy5Db3JwLklTLlJFUy5FbnRJbmZBcmNoLUZQLUMlMjIlMkMlMjJCQlktUi1SU0EtVlBOLUFQLVUlMjIlMkMlMjJCQlktUi1TVEFSLVNWLVVTRVJTJTIyJTJDJTIyQkJZLVItV1RTT3JhY2xlU1FMRGV2LUFQLVUlMjIlMkMlMjJCQlktUi1XVFNQZXJlZ3JpbmUtQVAtVSUyMiUyQyUyMkJCWS1SLVdUU1JlbW90ZURlc2t0b3AtQVAtVSUyMiUyQyUyMkJCWS1SLVdUU1NRTFRvb2xzLUFQLVUlMjIlMkMlMjJiYnktdC1wa2ktY2xpZW50c2VydmVyLXN0ZC1tYW51YWwlMjIlMkMlMjJiYnktdC1wa2ktY2xpZW50c2VydmVyLXN0ZC1tYW51YWwtdGVzdCUyMiUyQyUyMmJieS10LXBraS1zZXJ2ZXItc3RkLW1hbnVhbCUyMiUyQyUyMkJCWS1VLUFQLU1NVC1TeXN0ZW1BZG1pbi1xYSUyMiUyQyUyMkJCWS1VLUFQLVRlYUxlYWYtVSUyMiUyQyUyMkJCWS1VLUFWRUNUTy1EZXZlbG9wZXIlMjIlMkMlMjJCQlktVS1BVkVDVE8tUmVzdHJpY3RlZCUyMiUyQyUyMkJieS11LWNvbnRpbmdlbnR3b3JrZXJzLVN1YkElMjIlMkMlMjJCQlktVS1DUTEtUzMtRVhULVJXLURFViUyMiUyQyUyMkJCWS1VLUNRMS1TMy1JTlQtUlctREVWJTIyJTJDJTIyQkJZLVUtSkRBLVNVLURFViUyMiUyQyUyMkJCWS1VLUxDU0V4Y2VwdGlvblVzZXJzJTIyJTJDJTIyYmJ5LXUtcGtpLXJrbS1kYXRhY2VudGVyLW1hbnVhbCUyMiUyQyUyMmJieS11LXBraS1ya20tZGF0YWNlbnRlci1tYW51YWwtdGVzdCUyMiUyQyUyMkJCWS1VLVJBU0MtQlNLVC1BRE1JTi1ERVYlMjIlMkMlMjJCQlktVS1SQVNDLUJTS1QtQURNSU4tUFJPRCUyMiUyQyUyMkJCWS1VLVJBU0MtQlNLVC1VSS1CVVNSJTIyJTJDJTIyQkJZLVUtUkFTQy1URlMtSVQtREVWJTIyJTJDJTIyQkJZLVUtUklTUy1MZWdBcmNoaXZpbmclMjIlMkMlMjJCQlktVS1SSVNTLVNlbGVjdGl2ZUFyY2hpdmluZy0xJTIyJTJDJTIyQkJZLVUtU2VjdXJlQXV0aF9Tb2Z0VG9rZW5Vc2VycyUyMiUyQyUyMkJCWS1VLXNsYWNrLXVzZXJzJTIyJTJDJTIyQkJZLVUtVE0tQWNjZW50dXJlJTIyJTJDJTIyQkJZLVUtVE0tQXpETy1GTVNNb2JpbGUtREVWJTIyJTJDJTIyQkJZLVUtVE0tQmVzdEJ1eSUyMiUyQyUyMkJCWS1VLVRNLUNyYXNoUGxhbi1TZWxmLUluc3RhbGwlMjIlMkMlMjJCQlktVS1VU0VSUy1FTEEtUHJvZC1FU1BfUE9XRVIlMjIlMkMlMjJCQlktVS1WUE5Vc2VyQWNjZXNzJTIyJTJDJTIyQ19JVF9NQ0NQX0RFViUyMiUyQyUyMkMxMTAtOTQwMTUwQyUyMiUyQyUyMkMxMTAtOTQwNTMwQyUyMiUyQyUyMkNpc2NvLVNlZ21lbnRhdGlvbi1CdXNpbmVzcyUyMiUyQyUyMkNvbnN1bWVyUHJpdmFjeVJlcG9ydGluZy1EZXYlMjIlMkMlMjJFbnRlcnByaXNlUnVsZXNFbmdpbmVDYXBhYmlsaXR5JTIyJTJDJTIyRVNQRGV2VGVhbSUyMiUyQyUyMkVTUEludGVncmF0aW9uRGV2LUFDTiUyMiUyQyUyMkZTX09ORURSSVZFLVVTRVJTX1BPQyUyMiUyQyUyMkdHUFRFU1QlMjIlMkMlMjJJbnRlZ3JhdGlvbi1BQ05fTGVhZHMlMjIlMkMlMjJpT1MlMjB1c2VycyUyMHJlcSUyMDcuMC42JTIyJTJDJTIyTGVnYWxIb2xkUmVtaW5kZXIlMjIlMkMlMjJNRkFPdXRhZ2VDb21tJTIyJTJDJTIyUFBFLVN0YW5kYXJkLVBvbGljeSUyMiUyQyUyMlNpZ24lMjBSZWxlYXNlJTIwMyUyMERlbGl2ZXJ5JTIyJTJDJTIyU3RhdGljU2Nhbm5pbmdDdXN0b21lcnMlMjIlMkMlMjJVUy1BbGwtQ29udHJhY3RvcnNTdWI0JTIyJTJDJTIyVVMtQWxsLUVtcGxveWVlcy1DVy1BLkIlMjIlMkMlMjJVUy1CQlktQWxsQ29udGluZ2VudFdvcmtlcnMlMjIlMkMlMjJYX0xhc3RQYXNzVXNlcnMlMjIlNUQlN0QiLCJhdXRoZW50aWNhdGVkIjoidHJ1ZSJ9; path=/; expires=Mon, 03 Aug 2020 20:25:08 GMT; secure; httponly
Set-Cookie: session.sig=8Nqpg9Tb4xBO0xo3wXGa5-n6GiQ; path=/; expires=Mon, 03 Aug 2020 20:25:08 GMT; secure; httponly

This Set-Cookie had invalid syntax`

Compare that with the cookie value that gets generated in one of our lower envs (see below) and it obvious that something is very different in prod.

Server: Apache/2.4.6 (Red Hat Enterprise Linux) Set-Cookie: session=eyJub3dJbk1pbnV0ZXMiOjI2NjA4MDcyLCJjbGFpbXMiOiIlN0IlMjJmaXJzdG5hbWUlMjIlM0ElMjJDYXJleSUyMiUyQyUyMmFpZCUyMiUzQSUyMmE2NjA3MDklMjIlMkMlMjJncm91cHMlMjIlM0ElNUIlMjJCQlktVS1SQVNDLUJTS1QtVUktQlVTUiUyMiU1RCU3RCIsImF1dGhlbnRpY2F0ZWQiOiJ0cnVlIn0=; path=/; expires=Mon, 03 Aug 2020 20:22:18 GMT; secure; httponly Set-Cookie: session.sig=wZUBEZREs5han-GFVAAZsPcCWdA; path=/; expires=Mon, 03 Aug 2020 20:22:18 GMT; secure; httponly

Here is our cookie-session implementation (keys have been scrubbed):

app.use( cookieSession({ name: "session", keys: ["*********"], maxAge: 30 * 60000, }) );

Any thoughts on what could be causing the cookie value to be what it is in prod?

Thanks for any help you can provide!
@dougwilson
Copy link
Contributor

The length of the cookie is simply based on what you store in req.session. here is the contents of your cookie above:

Formatted JSON Data
{
  "nowInMinutes":26608075,
  "claims":"%7B%22firstname%22%3A%22Carey%22%2C%22aid%22%3A%22a660709%22%2C%22groups%22%3A%5B%22*Accenture%20AppDev%22%2C%22*Application%20Architecture%22%2C%22*BBTG%20Virtual%20Estimators%22%2C%22*CED%22%2C%22*DTT-AllContingentWorkers-AllLocations%22%2C%22*EA%20NOW%22%2C%22*EAAS%20-%20Business%20Capabilities%22%2C%22*Emerging%20Platform%20Commerce%20API_mDot_Tablet%20Status%22%2C%22*Enterprise%20Service%20Platform%22%2C%22*ESPProductTeam%22%2C%22*Fast%20Bizman%20Users%22%2C%22*IS-AD%20Channels%20DotCom%20ACN%20Svcs%20On%22%2C%22*IT.ACN.Architecture%22%2C%22*MCCP%20Search%22%2C%22*MCE%20On-Shore%22%2C%22*MCE%20Technology%20Governance%22%2C%22*PUAM-users%22%2C%22*Tea%20Leaf%20Users%22%2C%22_US-All-Corp-Users%22%2C%22~DelBBY-U-hipchat-users%22%2C%22AccentureIntegrationTeam%22%2C%22Architects-CW%22%2C%22AZ-EntSandboxSub-BBY-AG4-AKS-Sandbox-RG-USC-Contributor%22%2C%22BBY%20ALM%20Users%22%2C%22BBY-CleanBoard%22%2C%22BBY-CleanBoard-INT%22%2C%22BBY-Corporate-ContractorsSub4%22%2C%22BBY-ESP-ADMIN%22%2C%22BBY-ICR-DEV%22%2C%22BBY-MFAEnable-USCorp%22%2C%22BBY-R-CS01CORP-APPS.Corp.IS.Dept.Apps.TechArch-FP-C%22%2C%22BBY-R-CS01CORP-Files.Corp.IS.940150.RES.PVCS-RO-FP-R%22%2C%22BBY-R-CS01CORP-Files.Corp.IS.RES.EntInfArch-FP-C%22%2C%22BBY-R-RSA-VPN-AP-U%22%2C%22BBY-R-STAR-SV-USERS%22%2C%22BBY-R-WTSOracleSQLDev-AP-U%22%2C%22BBY-R-WTSPeregrine-AP-U%22%2C%22BBY-R-WTSRemoteDesktop-AP-U%22%2C%22BBY-R-WTSSQLTools-AP-U%22%2C%22bby-t-pki-clientserver-std-manual%22%2C%22bby-t-pki-clientserver-std-manual-test%22%2C%22bby-t-pki-server-std-manual%22%2C%22BBY-U-AP-MMT-SystemAdmin-qa%22%2C%22BBY-U-AP-TeaLeaf-U%22%2C%22BBY-U-AVECTO-Developer%22%2C%22BBY-U-AVECTO-Restricted%22%2C%22Bby-u-contingentworkers-SubA%22%2C%22BBY-U-CQ1-S3-EXT-RW-DEV%22%2C%22BBY-U-CQ1-S3-INT-RW-DEV%22%2C%22BBY-U-JDA-SU-DEV%22%2C%22BBY-U-LCSExceptionUsers%22%2C%22bby-u-pki-rkm-datacenter-manual%22%2C%22bby-u-pki-rkm-datacenter-manual-test%22%2C%22BBY-U-RASC-BSKT-ADMIN-DEV%22%2C%22BBY-U-RASC-BSKT-ADMIN-PROD%22%2C%22BBY-U-RASC-BSKT-UI-BUSR%22%2C%22BBY-U-RASC-TFS-IT-DEV%22%2C%22BBY-U-RISS-LegArchiving%22%2C%22BBY-U-RISS-SelectiveArchiving-1%22%2C%22BBY-U-SecureAuth_SoftTokenUsers%22%2C%22BBY-U-slack-users%22%2C%22BBY-U-TM-Accenture%22%2C%22BBY-U-TM-AzDO-FMSMobile-DEV%22%2C%22BBY-U-TM-BestBuy%22%2C%22BBY-U-TM-CrashPlan-Self-Install%22%2C%22BBY-U-USERS-ELA-Prod-ESP_POWER%22%2C%22BBY-U-VPNUserAccess%22%2C%22C_IT_MCCP_DEV%22%2C%22C110-940150C%22%2C%22C110-940530C%22%2C%22Cisco-Segmentation-Business%22%2C%22ConsumerPrivacyReporting-Dev%22%2C%22EnterpriseRulesEngineCapability%22%2C%22ESPDevTeam%22%2C%22ESPIntegrationDev-ACN%22%2C%22FS_ONEDRIVE-USERS_POC%22%2C%22GGPTEST%22%2C%22Integration-ACN_Leads%22%2C%22iOS%20users%20req%207.0.6%22%2C%22LegalHoldReminder%22%2C%22MFAOutageComm%22%2C%22PPE-Standard-Policy%22%2C%22Sign%20Release%203%20Delivery%22%2C%22StaticScanningCustomers%22%2C%22US-All-ContractorsSub4%22%2C%22US-All-Employees-CW-A.B%22%2C%22US-BBY-AllContingentWorkers%22%2C%22X_LastPassUsers%22%5D%7D",
  "authenticated":"true"
}

It seems you need to reduce the size of your claims value or convert to a server side session store.

@my3sons
Copy link
Author

my3sons commented Aug 4, 2020

doh! That totally makes sense now and clearly indicates where our problem is, thanks Doug!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dougwilson @my3sons