acquireToken() displays warning "Set-Cookie header is ignored in response from url... Cookie length should be less than or equal to 4096 characters"

[caesarsol]

I'm submitting a...

• [ ] Regression (a behavior that used to work and stopped working in a new release)
• [x] Bug report
• [ ] Performance issue
• [ ] Feature request
• [ ] Documentation issue or request
• [ ] Other... Please describe:

Browser:

• [x] Chrome version 69 -> 73
• [ ] Firefox version XX
• [ ] IE version XX
• [ ] Edge version XX
• [ ] Safari version XX

Library Name

• [x] adal.js
• [x] adal-angular

Library version

Library version: 1.0.17 (most recent)

Minimal reproduction of the problem with instructions

Seems like the issue appears after many logins/logouts on an application which uses the ADAL auth library. Attached screenshot:

The bug was already reported in #702, but never answered. The proposed solution, which is to clear cookies, cannot obviously be done in production for all users.

I don't actually know if this is a problem in production, and have no way to find out.

Thanks for any suggestion!

[ky-vy]

Having the same issue. Spent many hours debugging - still no success.

[udlose]

Also seeing the same problem.

[robianmcd]

I get this issue even when I am in incognito mode in Chrome.

Anyone found a workaround?

[rventuri76]

Same problem here. with msaljs 1.0.1 and B2C but not with B2B.

With B2C this error seems to block the login as trying to call acquireTokenSilent, after a successful login, i get this warning "Set-Cookie header is ignored in response from url ..." then this error Refused to display 'https://login.microsoftonline.com/XXX/oauth2/authorize?client_id=XXX&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2ffXXX.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=openid&response_mode=form_post&nonce=XXXX&state=XXXX' in a frame because it set 'X-Frame-Options' to 'deny'.

In the https://login.microsoftonline.com "Pick an account" page i have 6 accounts listed and very big cookies among witch: ESTSAUTHPERSISTENT: size 1900 CCState: size 1700 x-ms-cpim-cacheXXXX:size 1000

and many other with overall size well above above 4096.

Of course deleting all cookies for page https://login.microsoftonline.com solves the issue

[mamiu]

The same for me. I'm waiting for a fix for this bug since months. It's blocking the hidden iframe to acquire a new token in the background.

[rajrao]

I am also getting this same error. I have iframed the app within Dynamics CRM.

When I set the URL on the iframe, the following error gets thrown (Chrome): Set-Cookie header is ignored in response from url: https://login.microsoftonline.com/**my-tenant-id**/oauth2/v2.0/authorize?client_id=**the-client-id**&redirect_uri=**https://redirect-url**. Cookie length should be less than or equal to 4096 characters.

If I reload the page, the page loads correctly and I am authenticated with the website. Its just that it fails the first time.

[jmckennon]

This should be fixed by the server team now. Please make sure you're on 1.0.17 and let us know if it's still happening.

Additionally, all current authentication work from Microsoft is delivered through the msal js library here. adal js is still supported only for security fixes. We recommend moving to msal js for any advanced feature requests and bugfixes.

[AndrewCraswell]

Hey, @jmckennon. I just got off the call with a customer who is experiencing this issue today using MSAL 1.2.0-beta.5. Just to clarify, I assume that even after the server team has fixed, we will need the affected customers to clear their cookies?

My guess is that the user was impacted prior to the fix, and now post-fix will continue to encounter the error until a full cookie purge.

[jasonnutter]

Closing due to inactivity, should be fixed for both MSAL and ADAL.