feat: add info about cookie chunking (#100)

ndom91 · web-flow · commit 07ba8874bd8f · 2021-11-15T10:31:47.000+01:00
diff --git a/docs/configuration/options.md b/docs/configuration/options.md
@@ -116,7 +116,7 @@ session: {
 
 JSON Web Tokens can be used for session tokens if enabled with `session: { jwt: true }` option. JSON Web Tokens are enabled by default if you have not specified a database.
 
-By default JSON Web Tokens are signed (JWS) but not encrypted (JWE), as JWT encryption adds additional overhead and comes with some caveats. You can enable encryption by setting `encryption: true`.
+By default JSON Web Tokens are not signed (JWS) but are encrypted (JWE).
 
 #### JSON Web Token Options
 
@@ -405,8 +405,6 @@ When set to `true` (the default for all site URLs that start with `https://`) th
 
 This option defaults to `false` on URLs that start with `http://` (e.g. `http://localhost:3000`) for developer convenience.
 
-You can manually set this option to `false` to disable this security feature and allow cookies to be accessible from non-secured URLs (this is not recommended).
-
 :::note
 Properties on any custom `cookies` that are specified override this option.
 :::
@@ -424,6 +422,8 @@ Setting this option to _false_ in production is a security risk and may allow se
 
 #### Description
 
+Cookies in NextAuth.js are chunked by default, meaning that once they reach the 4kb limit, we will create a new cookie with the `.{number}` suffix and reassemble the cookies in the correct order when parsing / reading them. This was introduced to avoid size constraints which can occur when users want to store additional data in their sessionToken, for example.
+
 You can override the default cookie names and options for any of the cookies used by NextAuth.js.
 
 This is an advanced option and using it is not recommended as you may break authentication or introduce security flaws into your application.
diff --git a/docs/faq.md b/docs/faq.md
@@ -356,11 +356,7 @@ JSON Web Tokens can be used for session tokens, but are also used for lots of ot
 </summary>
 <p>
 
-By default tokens are signed (JWS) but not encrypted (JWE), as encryption adds additional overhead and reduces the amount of space available to store data (total cookie size for a domain is limited to 4KB).
-
-- JSON Web Tokens in NextAuth.js use JWS and are signed using HS512 with an auto-generated key.
-
-- If encryption is enabled by setting `jwt: { encryption: true }` option then the JWT will _also_ use JWE to encrypt the token, using A256GCM with an auto-generated key.
+By default tokens are not signed (JWS) but are encrypted (JWE). Since v4 we have implemented cookie chunking so that cookies over the 4kb limit get split and reassembled upon parsing.
 
 You can specify other valid algorithms - [as specified in RFC 7518](https://tools.ietf.org/html/rfc7517) - with either a secret (for symmetric encryption) or a public/private key pair (for a symmetric encryption).
 
