fix(cookie): Throw on max cookie length (#116)

vvo · May 26, 2020 · 0e43729 · 0e43729
1 parent 3772b73
commit 0e43729
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/lib/index.js b/lib/index.js
@@ -62,7 +62,13 @@ export async function applySession(
     async save() {
       const seal = await store.seal();
       const cookieValue = cookie.serialize(cookieName, seal, cookieOptions);
+      if (cookieValue.length > 4096) {
+        throw new Error(
+          `next-iron-session: Cookie length is too big ${cookieValue.length}, browsers will refuse it`,
+        );
+      }
       res.setHeader("set-cookie", [cookieValue]);
+      return cookieValue;
     },
     destroy() {
       store.clear();

diff --git a/lib/index.test.js b/lib/index.test.js
@@ -596,3 +596,26 @@ test("ironSession({password})", () => {
     `"next-iron-session: Missing parameter \`cookieName\`"`,
   );
 });
+
+test("it throws when cookie length is too big", () => {
+  return new Promise((done) => {
+    const handler = async (req) => {
+      req.session.set("user", "somevalue".repeat(500));
+      await expect(async function () {
+        await req.session.save();
+      }).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"next-iron-session: Cookie length is too big 6341, browsers will refuse it"`,
+      );
+      done();
+    };
+    const wrappedHandler = withIronSession(handler, { password, cookieName });
+    wrappedHandler(
+      {
+        headers: { cookie: "" },
+      },
+      {
+        setHeader: jest.fn(),
+      },
+    );
+  });
+});