session cookie too large when the token_cache is saved

[thunt-twose]

Hi,

I ran into an issue while using this template where, after signing the user in, at the bottom of the authorize() method, I attempt to redirect to another page in my app. However during the redirect I get a warning:

UserWarning: The "b'session'" cookie is too large: the value was 5632 bytes but the header required 26 extra bytes. The final size was 5658 bytes but the limit is 4093 bytes. Browsers may silently ignore cookies larger than this.

After this, I attempt to access some user information that is stored in the session variable, but the app crashes because the session variable no longer contains that user information.

Looking at the template, in the authorize() method, if I pop the session variable 'token_cache' before the redirect, or even if I remove the _save_cache(cache) line, everything works fine, I can login and use the app.

I'm just wondering if this is safe? Can I simply remove the line _save_cache(cache) from the authorize method? If so, why was that line necessary in the first place? I've been reading through the docs for MSAL authentication and I can't quite figure it out.

My other question is why that error started to happen in the first place. Do you know of reason that the token_cache would suddenly become too big for the session variable?

The app was previously working with this template, but some changes have been made and now this error is occurring. Do you have any ideas as to what would cause this to begin happening?

Thanks so much for your time, and for providing this template, it's been very helpful!

[rayluo]

Thanks for your interest on this sample! This sample is currently designed to use a server-side session. Did you by any chance change that to use client-side session?

The token cache would have some unobvious benefits, such as saving some future extra authentication calls when the current short-lived token expires after 1 hour. That being said, there may be room for improvement here. We may revisit this.

[thunt-twose]

Thanks for your quick reply! That was it! The app had started out using a server-side session, but during development it had switched over to client-side and I hadn't noticed. Thank you so much!

I'm now running into this issue: https://github.com/Azure-Samples/ms-identity-python-webapp/issues/35 . I keep getting redirected to the index page from the authorized() method after logging in. session['state'] is being set in the login method but in the authorized method session.get('state') returns None.

[rayluo]

Would you mind to tentatively start a new project and pull in the latest version of this sample and test it again? The out-of-box sample should work. If not, please share with us the repro steps.

Besides, based on your mentioning of session.get('state'), you are probably using an older version of this sample. The current version of this sample has been improved to completely hide that logic, so, one less thing to go wrong. :-) I'd recommend you build your project based on our latest sample.

[thunt-twose]

Sure, I'll try that! Thanks again.

[thunt-twose]

Yes, that worked! I've gotten the project working now. Thanks for all your help.

[rayluo]

It is our pleasure to know another cool new project is built for the world. :-)

[marchar91]

Hello, I am having the same problem here, it works smoothly with server side session but I have, as project requirement, to use client side session and the token_cache is just too big as cookie size. Do you have any idea how to bypass the problem? I just thinking to just persist less information into the session and dump the token_cache as a json file (by fact, simulating a filesystem SESSION_TYPE) but I am not happy with this solution. Thanks

[rayluo]

Hello, I am having the same problem here, it works smoothly with server side session but I have, as project requirement, to use client side session and the token_cache is just too big as cookie size. Do you have any idea how to bypass the problem? I just thinking to just persist less information into the session and dump the token_cache as a json file (by fact, simulating a filesystem SESSION_TYPE) but I am not happy with this solution. Thanks

Given that you choose to persist the data on client-side, and the size is too big for a cookie, I suppose you would need to look into Web Storage or IndexedDB? You seem to already figure out a workable solution, though. If you are open to share it somehow, we (the community) may be able to crowdsource it. (When you do, please start a new topic here. Conversation on a closed topic will not easily gain traction.)

[marchar91]

You're sorry, will do! Thanks!