Slim down cookies#285
Merged
Merged
Conversation
cnvergence
reviewed
Aug 19, 2025
| return &http.Cookie{ | ||
| Name: name, | ||
| Value: value, | ||
| Path: "/", // TODO: make configurable |
Member
There was a problem hiding this comment.
we might also drop all the TODOs
Contributor
Author
There was a problem hiding this comment.
I was thinking that someone might expose this backend behind an Ingress with a PathPrefix, so the TODO for the Path felt valid.
cnvergence
previously approved these changes
Aug 19, 2025
mjudeikis
approved these changes
Aug 19, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Depending on the crypto settings, but more likely depending on the number of groups a user is in, the size of the generated access, refresh and ID tokens can be quite large. However browser cookies are limited to 4KB per origin.
Thankfully kube-bind's example backend doesn't actually need any of the large tokens, neither does it need the user groups. So for this implementation it's possible to simply store much less in the cookie.
This is what this PR achieves. We now only store the issuer and subject from the original ID token. When testing using the quickstart guide, the size of my cookie went down from 2,476 to 492 bytes. And I suspect it won't grow much beyond that, unless your issuer is https://examplesareoftennotenoughsometimesyouneedawizardtoexplainthebasicsofmagictoyou.edu.
Since the cookie is now much smaller and hopefully stays small, I have removed the example compression functions, as well as the example (?) function to parse the cookie SameSite attribute. Not sure why that one ever existed.
I also made the name of the cookie less random, but still per-cluster, so that fewer information needs to be transmitted via query string parameters. There is IMHO no need to have multiple sessions open for the same cluster and the same backend.
For the cookie settings, I have removed the TODO for the HttpOnly flag. With the example backend there is absolutely no reason to make this actually configurable. The same applies to the SameSite flag, which is purely dependent on how the example backend is implemented and doesn't need to be configurable. Likewise I extracted the secure flag, in preparation of supporting HTTPS mode for the example backend if we ever need it.
I also fixed a few log statements that were using Info instead of Error.
And lastly, noticed during testing, I fixed
make dex/bin/dex.What Type of PR Is This?
/kind bug
Related Issue(s)
Fixes #136
Release Notes