Skip to content
This repository was archived by the owner on Jul 6, 2022. It is now read-only.

feat: add info about cookie chunking #100

Merged
balazsorban44 merged 4 commits into from
Nov 15, 2021
Merged

feat: add info about cookie chunking #100

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fa40f8c
feat: add info about cookie chunking
ndom91 Nov 6, 2021
e76f033
docs: address PR comments
ndom91 Nov 12, 2021
089c767
docs(faq): fix jwt faq info
ndom91 Nov 13, 2021
49f3538
fix: jwt options desc
ndom91 Nov 13, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/configuration/options.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -402,8 +402,6 @@ When set to `true` (the default for all site URLs that start with `https://`) th

This option defaults to `false` on URLs that start with `http://` (e.g. `http://localhost:3000`) for developer convenience.

You can manually set this option to `false` to disable this security feature and allow cookies to be accessible from non-secured URLs (this is not recommended).

:::note
Properties on any custom `cookies` that are specified override this option.
:::
Expand All @@ -421,6 +419,8 @@ Setting this option to _false_ in production is a security risk and may allow se

#### Description

Cookies in NextAuth.js are chunked by default, meaning that once they reach the 4kb limit, we will create a new cookie with the `.{number}` suffix and reassemble the cookies in the correct order when parsing / reading them. This was introduced to avoid size constraints which can occur when users want to store additional custom fields in their sessionToken, for example, or enable encryption, which adds size overhead.
Comment thread
ndom91 marked this conversation as resolved.
Outdated

You can override the default cookie names and options for any of the cookies used by NextAuth.js.

This is an advanced option and using it is not recommended as you may break authentication or introduce security flaws into your application.
Expand Down
2 changes: 1 addition & 1 deletion docs/faq.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -345,7 +345,7 @@ JSON Web Tokens can be used for session tokens, but are also used for lots of ot
</summary>
<p>

By default tokens are signed (JWS) but not encrypted (JWE), as encryption adds additional overhead and reduces the amount of space available to store data (total cookie size for a domain is limited to 4KB).
By default tokens are signed (JWS) but not encrypted (JWE), as encryption adds additional overhead and reduces the amount of space available to store data (total cookie size for a domain is limited to 4KB). Since v4 we have implemented cookie chunking so that cookies over the 4kb limit get split and reassembled upon reading them. As there is practically no limit to cookie size anymore, we strongly recommend enabling and keeping enabled jwt encryption.
Comment thread
ndom91 marked this conversation as resolved.
Outdated

- JSON Web Tokens in NextAuth.js use JWS and are signed using HS512 with an auto-generated key.

Expand Down