Server-side-only session attributes to avoid cookies exceed size

Question

Server-side-only session attributes to avoid cookies exceed size

sscarduzio opened this issue 5 years ago · 2 comments

Related to #217

When a user logs in using username and password, I also add to the cookieAuth object the list of groups the user belongs to.

This is very handy, but when a user belongs to 100+ groups I get:

Set-Cookie header is ignored in response from url: http://example.com/login. Cookie length should be less than or equal to 4096 characters.

Is there a way to associate data to a session, but avoiding that all goes serialised to a gigantic encrypted cookie?

Answer 1 · 2019-09-12T17:29:59.000Z

This is clearly explained in the readme. You need to store your own session identifier in the cookie and then look that data up in a store. It is pretty easy to do if you combine cookie with the hapi cache support and link that to a redis server so something similar. This plugin does not provide this functionality built-in because the use cases are very specific.

Answer 2 · 2020-01-09T00:33:45.000Z

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.