Skip to content

Support multi-part UI cookies#20787

Merged
wendigo merged 5 commits intomasterfrom
serafin/cookie-size-limit
Feb 22, 2024
Merged

Support multi-part UI cookies#20787
wendigo merged 5 commits intomasterfrom
serafin/cookie-size-limit

Conversation

@wendigo
Copy link
Copy Markdown
Contributor

@wendigo wendigo commented Feb 21, 2024
edited
Loading

If cookie value exceeds 4096 bytes (which is a limit for most of the browsers) it will be splitted into multiple cookies and then imploded on read.

Release notes: Fix UI authentication for large authentication tokens

@cla-bot cla-bot bot added the cla-signed label Feb 21, 2024
@wendigo wendigo mentioned this pull request Feb 21, 2024
Merged
Praveen2112
Praveen2112 approved these changes Feb 21, 2024
View reviewed changes
@wendigo wendigo force-pushed the serafin/cookie-size-limit branch from 4db6391 to 0d3c8f5 Compare February 21, 2024 13:23
Praveen2112
Praveen2112 reviewed Feb 21, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@Praveen2112 Praveen2112 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question on extending this to other cookies created/used by Trino as well.

@wendigo wendigo force-pushed the serafin/cookie-size-limit branch 3 times, most recently from ee89027 to 1a37953 Compare February 21, 2024 20:36
Praveen2112
Praveen2112 approved these changes Feb 22, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@Praveen2112 Praveen2112 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a security expert, I would like to see @dain or @lukasz-walkiewicz review as well.

@wendigo wendigo force-pushed the serafin/cookie-size-limit branch from 1a37953 to dd5a49a Compare February 22, 2024 11:06
lukasz-walkiewicz
lukasz-walkiewicz reviewed Feb 22, 2024
View reviewed changes
@wendigo wendigo force-pushed the serafin/cookie-size-limit branch from dd5a49a to ecc1e61 Compare February 22, 2024 13:54
@wendigo
Support multipart UI token cookies
fba3819 
When cookie name+value length exceeds 4096 bytes, it is silently rejected by most of the browsers
per https://datatracker.ietf.org/doc/html/rfc6265#section-6.1.

Since we don't control access & refresh token lengths and encryption scheme, we need to split
value and set/remove multiple cookies in such cases.
@wendigo wendigo force-pushed the serafin/cookie-size-limit branch from ecc1e61 to fba3819 Compare February 22, 2024 15:38
@wendigo
Copy link
Copy Markdown
Contributor Author

wendigo commented Feb 22, 2024

Just reworded last commit message.

@wendigo wendigo merged commit 386a3d4 into master Feb 22, 2024
@wendigo wendigo deleted the serafin/cookie-size-limit branch February 22, 2024 15:38
@github-actions github-actions bot added this to the 440 milestone Feb 22, 2024
@colebow colebow mentioned this pull request Feb 23, 2024
Merged
@hashhar hashhar mentioned this pull request Nov 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Praveen2112 Praveen2112 Praveen2112 approved these changes

@electrum electrum Awaiting requested review from electrum

@dain dain Awaiting requested review from dain

@kokosing kokosing Awaiting requested review from kokosing

+1 more reviewer

@lukasz-walkiewicz lukasz-walkiewicz lukasz-walkiewicz left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla-signed

Milestone

440

Development

Successfully merging this pull request may close these issues.

3 participants

@wendigo @Praveen2112 @lukasz-walkiewicz