Skip to content

Warn users when session cookies are split #483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 12, 2020
Merged

Warn users when session cookies are split #483

merged 1 commit into from
Apr 12, 2020

Conversation

JoelSpeed
Copy link
Member

Description

Adds a warning to users when sessions are being split, recommending them to use a server side session storage implementation such as redis

Motivation and Context

To start potential changes inferred by #482

How Has This Been Tested?

Not tested but a minor change that shouldn't need much in the way of testing

Checklist:

  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.

steakunderscore
steakunderscore reviewed Apr 10, 2020
View reviewed changes
pkg/sessions/cookie/session_store.go Outdated
// it into a slice of cookies which fit within the 4kb cookie limit indexing
// the cookies from 0
func splitCookie(c *http.Cookie) []*http.Cookie {
logger.Printf("WARNING: Sessions exceeds 4kb cookie limit. Multiple cookies are required for this session. Please use server side session storage (eg. Redis).")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do you feel about change WARNING to DEPRECATED?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My thinking was that we haven't officially decided to deprecate yet, so shouldn't say it's deprecated? I was thinking we would add deprecated once we have gathered more feedback, though, changing it now, might make it easier to get feedback? 🤔

loshz
loshz reviewed Apr 12, 2020
View reviewed changes
pkg/sessions/cookie/session_store.go Outdated
// it into a slice of cookies which fit within the 4kb cookie limit indexing
// the cookies from 0
func splitCookie(c *http.Cookie) []*http.Cookie {
logger.Printf("WARNING: Sessions exceeds 4kb cookie limit. Multiple cookies are required for this session. Please use server side session storage (eg. Redis).")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think something like this reads better:

Suggested change
logger.Printf("WARNING: Sessions exceeds 4kb cookie limit. Multiple cookies are required for this session. Please use server side session storage (eg. Redis).")
logger.Printf("WARNING: Multiple cookies are required for this session as it exceeds the 4kb cookie limit. Please use server side session storage (eg. Redis) instead")

@JoelSpeed
Copy link
Member Author

@syscll Applied your suggestion

@steakunderscore steakunderscore merged commit 4341ab4 into master Apr 12, 2020
@steakunderscore steakunderscore deleted the split-warning branch April 12, 2020 11:36
Jing-ze pushed a commit to Jing-ze/oauth2-proxy that referenced this pull request Nov 19, 2024
@johnlanni
support multi arch image (oauth2-proxy#483)
8048436
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
2 more reviewers

@steakunderscore steakunderscore steakunderscore approved these changes

@loshz loshz loshz approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JoelSpeed @steakunderscore @loshz