From aa321196d79a937032b2180d11e256c03ceb35e2 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 13 Dec 2021 13:33:20 +0100 Subject: [PATCH] outposts/proxy: fix securecookie: the value is too long again, since it can happen even with filesystem storage Signed-off-by: Jens Langhammer --- internal/outpost/proxyv2/application/session.go | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/internal/outpost/proxyv2/application/session.go b/internal/outpost/proxyv2/application/session.go index 6da1b20d2..484629e20 100644 --- a/internal/outpost/proxyv2/application/session.go +++ b/internal/outpost/proxyv2/application/session.go @@ -2,6 +2,7 @@ package application import ( "fmt" + "math" "os" "strconv" @@ -27,14 +28,22 @@ func (a *Application) getStore(p api.ProxyOutpostConfig) sessions.Store { a.log.Info("using redis session backend") store = rs } else { - cs := sessions.NewFilesystemStore(os.TempDir(), []byte(*p.CookieSecret)) + dir := os.TempDir() + cs := sessions.NewFilesystemStore(dir, []byte(*p.CookieSecret)) cs.Options.Domain = *p.CookieDomain + // https://github.com/markbates/goth/commit/7276be0fdf719ddff753f3574ef0f967e4a5a5f7 + // set the maxLength of the cookies stored on the disk to a larger number to prevent issues with: + // securecookie: the value is too long + // when using OpenID Connect , since this can contain a large amount of extra information in the id_token + + // Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk + cs.MaxLength(math.MaxInt64) if p.TokenValidity.IsSet() { t := p.TokenValidity.Get() // Add one to the validity to ensure we don't have a session with indefinite length cs.Options.MaxAge = int(*t) + 1 } - a.log.Info("using filesystem session backend") + a.log.WithField("dir", dir).Info("using filesystem session backend") store = cs } return store