[server] Add warning when a cookie's length would exceed the RFC 6265 minimum user-agent support #5634
Comments
Dreamsorcerer
added
good first issue
|
The warning would go somewhere around: Line 852 in 1a4126a Maybe requires a little trial and error with a browser forcing this limit, to help figure out exactly what is included in the size limit (the linked issue mentions this being reproducible in Chrome 89). But, at a guess, this might look something like: |
|
@Dreamsorcerer I came across a similar bug report in |
|
Well, that's what dev mode is for, then atleast it will catch errors for people during development. |
🐣 Is your feature request related to a problem? Please describe.
We had a report in
aiohttp-session(see aio-libs/aiohttp-session#574) that a user submitting a 'large' cookie had the cookie dropped by the receiving browser.According to RFC 6265 - section 6.1:
This means that cookies that exceed 4096 bytes in storage (not transmission) have a chance that the user-agent will drop them which is a case that is hard to 'guess' for a developer.
💡 Describe the solution you'd like
A warning log should be emitted if a cookie that would exceed the RFC minimum support is created in
aiohttpserver.A challenge here is the definition of 'exceed' because
aiohttpknows the transmitted size but the RFC refers to (and the user-agents seem to implement) a check on the final stored size of the cookie string, including all field names and values regardless of whether they were transmitted or filled in as defaults by the user-agent.❓ Describe alternatives you've considered
It was briefly considered implementing this check in
aiohttp-sessionbut was rejected since this is a general issue with cookies and not specific toaiohttp-sessionso such a check could benefit allaiohttpusers.📋 Additional context
None.
The text was updated successfully, but these errors were encountered: