It looks like SuperToken cookies are exceeding the...
# support-questions-legacym
Morgante Pell
08/24/2022, 2:46 PMIt looks like SuperToken cookies are exceeding the permitted limit. I'm getting this error: "Set-Cookie header is ignored in response from url: http://localhost:4000/auth/session/refresh. The combined size of the name and value must be less than or equal to 4096 characters."
r
rp_st
08/24/2022, 2:47 PMYea! thats a browser limitation. What are you adding in the access token payload?
m
Morgante Pell
08/24/2022, 4:51 PMI'm adding some
claims{repo:'custodian-sample-org/pizza-shop'}r
rp_st
08/24/2022, 5:10 PMah right. You generally wanna minimise the number of things in the claims as much as possible
p
porcellus
08/24/2022, 5:18 PMalso, what browser are you using if you don't mind me asking? 🙂
r
rp_st
08/24/2022, 5:42 PMThat being said, we are working on making it so that lesser space is taken up by the cookies. However that will take sometime.
rp_st
08/24/2022, 5:44 PMAnd if there is no way that you can reduce the amount of info in the access token payload, then consider this demo app which customises supertokens to use custom headers and localstorage instead of cookies -> https://github.com/supertokens/supertokens-auth-react/tree/master/examples/with-localstorage
m
Morgante Pell
08/24/2022, 10:30 PMSorry for the delayed reply - should I consider using session data instead? Is that also subject to the cookie limit, or is it pulled from the DB?
Morgante Pell
08/24/2022, 10:30 PMChrome
Morgante Pell
08/24/2022, 10:53 PMSuperTokens is just endlessly looping with errors.
r
rp_st
08/25/2022, 4:13 AMSession data pulls it from the db. You could use that if the info is not fetched that often
rp_st
08/25/2022, 4:15 AMHmm. What are the values in the cookie store on the frontend whilst it’s looping like that?
m
Morgante Pell
08/25/2022, 4:42 AMExpired auth token.
Morgante Pell
08/25/2022, 4:42 AMWhy does /auth/signout return 403 at all? Shouldn’t it simply terminate any sessions found.
r
rp_st
08/25/2022, 4:47 AMOur api doesn’t return 403. Is something else in your stack doing that? Also, from the above screenshot it seems to return 401 not 403
rp_st
08/25/2022, 4:48 AMThe only time the signOut api returns 401 is if the session exists, but that access token has expired. If you are calling the signOut api yourself (without our sdk), make sure to call supertokens.init before and also if using axios, to add its interceptors.
m
Morgante Pell
08/25/2022, 4:55 AMWhy do it that way? It seems better to simply end the session entirely.
Morgante Pell
08/25/2022, 4:56 AMIn this case I got into a state where the only way to recover was to delete all cookie and local storage.
r
rp_st
08/25/2022, 5:00 AMCause you can’t end the session without having the access token first. And since the access token has expired, you don’t have the access token.
rp_st
08/25/2022, 5:01 AMCan you try it again,? Login, delete the sAccessToken in the cookies and the click the sign out button. What happens?
m
Morgante Pell
08/25/2022, 5:15 AMI’m not sure I follow. I understand you enforce that requirement, but why not end a session even if the token is expired?
r
rp_st
08/25/2022, 5:40 AM1) Cause the browser doesn't send expired access tokens
2) Even if the browser does send it, it's generally a bad idea to do anything based on an expired access token other than tell the client that it's expired.
There is a distinction between expired access token vs expired session. An expired access token doesn't imply an expired session. An expired session happens when the refresh token has expired - in that case, the sign out API will not send back a 401.
12 Views