4.3: The cookie size exceeds 4096 bytes

[robcaldecott]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Just upgraded from 4.1 to 4.3 and am seeing the following message:

The cookie size exceeds 4096 bytes, which may cause issues in some browsers. Consider removing any unnecessary custom claims from the access token or the user profile. Alternatively, you can use a stateful session implementation to store the session data in a data store.

I have tried logging out and clearing cookies and the issue persists. Our middleware.ts looks something like this:

export async function middleware(req: NextRequest) {
  // Handle auth-specific routes
  const authResponse = await auth0.middleware(req);
  if (req.nextUrl.pathname.startsWith("/auth")) {
    if (req.nextUrl.pathname === "/auth/login") {
      // This is a workaround for this issue: https://github.com/auth0/nextjs-auth0/issues/1917
      // The auth0 middleware sets some transaction cookies that are not deleted after the login flow completes.
      // This causes stale cookies to be used in subsequent requests and eventually causes the request header to be rejected because it is too large.
      const reqCookieNames = req.cookies.getAll().map((cookie) => cookie.name);
      reqCookieNames.forEach((cookie) => {
        if (cookie.startsWith("__txn")) {
          authResponse.cookies.delete(cookie);
        }
      });
    }
    return authResponse;
  }

  // Do we have a token?
  const accessToken = await auth0.getAccessToken();
  if (!accessToken) {
    return NextResponse.redirect(
      new URL(`/auth/login?returnTo=${req.nextUrl.pathname}`, req.url),
    );
  }
  return authResponse;
}

export const config = {
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico, sitemap.xml, robots.txt (metadata files)
     * - hc (health check)
     * - unauthorised (user not authorised page)
     */
    "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt|hc|unauthorised).*)",
  ],
};

Reverting to 4.1 fixes the issue.

Here is how the cookies look on 4.3

And on 4.1

Reproduction

See above

Additional context

No response

nextjs-auth0 version

4.3

Next.js version

15.2.4

Node.js version

20

[robcaldecott]

FYI v4.2.1 is fine. This issue was introduced in 4.3.
Happy to accept middleware workarounds!

[jesseflikweerteo]

Funny thing is that I had this issue in v4.2.1, and expected it to go away with the cookie chunking feature.

[LennertDeMey]

This just seems like a warning according to the code.

[robcaldecott]

I think this has potentially serious consequences according to #1983 (comment)

[frederikprijck]

👋 With v4.3.0, we have included the id token again in the session, so it is expected to see the cookie size increase. However, we also brought back cookie-chunking to accomodate for this increased cookie size.

It looks like removing the warning was overlooked, as it is expected in most applications to start hitting the limit of a single cookie. However, because we have cookie chunking again, the size of the cookie should not be an issue.

We should, however, look into removing this warning to avoid confusion. I opened a PR to address that.

Based on that, I am not sure there is an actual issue going on in this case, but please let me know if there is and I can take a look.

[robcaldecott]

@frederikprijck great, thanks for the update, I will close this. Is cookie chunking expected to fix the state in invalid issue that myself and others have been seeing?

[frederikprijck]

Is cookie chunking expected to fix the state in invalid issue that myself and others have been seeing?

Are you saying you are having that issue on 4.3.0, where cookie chunking is already available?

[robcaldecott]

Is cookie chunking expected to fix the state in invalid issue that myself and others have been seeing?

Are you saying you are having that issue on 4.3.0, where cookie chunking is already available?

No, we haven't seen it on 4.3 in our tests so far.

[frederikprijck]

Based on what I can tell, people mention that the issue goes hand in hand with the warning on < v4.3.0 When you see the warning in < v4.3.0, it is expected that things do not work as expected (which is why we brought back chunking).

[marc-wilson]

having the same issue in v4.4.2