Infinite authentication loop #33
Comments
|
Compressing the cookie with gzip brought it down to 3822 bytes. Maybe it makes sense to split it up into multiple cookies. |
|
That is a fair suggestion: I've done something similar for mod_auth_openidc in the past; OpenIDC/mod_auth_openidc#153 |
|
I just got hit by this issue while trying to make a sample using lua-resty-openidc & Keycloak. A full debug log of the infinite redirect can be found at: I didn't realize that was to the fact that the cookie was too big and browser won't store it. |
|
Ok, thanks for chiming in; on the short term I'll look to issue a clear warning about size limits, on the mid-term I'll implement chunked cookies. Of course PRs are welcome... |
|
I have now implemented chunked cookie support in Just grab the latest Also you may need to add something like this to your large_client_header_buffers 4 16k; |
|
@bungle thanks for your support. I patched my example with the code at rev 67b8354 and I can confirm that the infinite loop is gone. In my case the cookie was chunked in 2 pieces.
|
|
Same thing for me, a quick test works; I got my - artificially enlarged - session cookie split across 4 |
With 1.2.3 the encrypted id_token is saved in the session data (#29). This pushes the session cookie size above 4 kb with e.g. Azure Active Directory and thus the cookie will not be stored by most browsers.
Possible workarounds are to use a different session store. Using a gzip based session encoder might also be an option.
The text was updated successfully, but these errors were encountered: