0.57.0 seems to break cookie sessions?

[travisbell]

Hey @ioquatix,

Happy new year. 😄

After updating to 0.57.0 sessions in our app broke. The error I see in our logs is:

Warning! Rack::Session::Cookie data size exceeds 4K.
Warning! Rack::Session::Cookie failed to save session. Content dropped.

Which is really weird because the content of the session cookie is only ~550 bytes, so I can't quite make sense of why that error is being returned.

☝🏼 I am not 100% convinced these are connected, actually. It might be, but it might also just be some users messing about with the cookies and sessions as they like to do...

Regardless, restoring 0.56.1 gets things working again.

We're setting up our session like so:

use Rack::Session::Cookie,
  coder: JwtSessionEncoder.new,
  expire_after: 1209600,
  httponly: true,
  key: "session",
  let_coder_handle_secure_encoding: true,
  path: "/",
  same_site: :lax,
  secure: true

Let me know if you need anything else to make sense of it, thanks!

[ioquatix]

Thanks, am looking into it today.

[ioquatix]

I think v0.57.0 is a bad release. I was trying to fix header/trailer handling and I think the implementation I did was not good enough. So, I'm going to release v0.58.0 which I think is a better approach to handling header/trailer. Some updates to async-http may be required too. This is in response to a security issue, the idea is that not all header keys can show up in trailers, so we should prevent that. But basically I didn't quite get the logic correct, and it's probably manifesting in the error you are seeing.

[ioquatix]

Can you please try again with updated async-http, protocol-http, protocol-http1 and protocol-rack. This should correctly solve the issue.

[travisbell]

I just deployed the updates and there are no issues that I have seen yet.

Thanks for the quick fix.