-
-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Infinite authentication loop #33
Comments
Compressing the cookie with gzip brought it down to 3822 bytes. Maybe it makes sense to split it up into multiple cookies. |
That is a fair suggestion: I've done something similar for mod_auth_openidc in the past; https://github.com/pingidentity/mod_auth_openidc/issues/153 |
I just got hit by this issue while trying to make a sample using lua-resty-openidc & Keycloak. A full debug log of the infinite redirect can be found at: I didn't realize that was to the fact that the cookie was too big and browser won't store it. |
Ok, thanks for chiming in; on the short term I'll look to issue a clear warning about size limits, on the mid-term I'll implement chunked cookies. Of course PRs are welcome... |
I have now implemented chunked cookie support in Just grab the latest Also you may need to add something like this to your large_client_header_buffers 4 16k; |
@bungle thanks for your support. I patched my example with the code at rev 67b8354 and I can confirm that the infinite loop is gone. In my case the cookie was chunked in 2 pieces. |
Same thing for me, a quick test works; I got my - artificially enlarged - session cookie split across 4 |
With 1.2.3 the encrypted id_token is saved in the session data (#29). This pushes the session cookie size above 4 kb with e.g. Azure Active Directory and thus the cookie will not be stored by most browsers.
Possible workarounds are to use a different session store. Using a gzip based session encoder might also be an option.
The text was updated successfully, but these errors were encountered: