feature (cookie split): split session cookie onto fixed size chunks - #422

* Fixed invalid cookie issue when session object is serialized into a string larger than 4KB. * Update session.go Removed comments * Update share.go Removed comments
2025-12-07 17:02:29 +01:00 · 2022-01-27 06:07:02 +08:00 · 2022-01-27 06:07:02 +08:00 · ab71c339dd
commit ab71c339dd
parent a37de01b3b
3 changed files with 63 additions and 22 deletions
--- a/server/ctrl/session.go
+++ b/server/ctrl/session.go
@ -8,6 +8,7 @@ import (
 	"github.com/mickael-kerjean/filestash/server/model"
 	"net/http"
 	"net/url"
+	"strconv"
 	"strings"
 	"time"
 )
@ -84,15 +85,31 @@ func SessionAuthenticate(ctx App, res http.ResponseWriter, req *http.Request) {
 		SendErrorResult(res, NewError(err.Error(), 500))
 		return
 	}
+	// split session cookie if greater than 3800 bytes
+	value_limit := 3800
+	index := 0
+	end := 0
+	for {
+		if len(obfuscate) >= (index+1)*value_limit {
+			end = (index + 1) * value_limit
+		} else {
+			end = len(obfuscate)
+		}
 		http.SetCookie(res, &http.Cookie{
-		Name:     COOKIE_NAME_AUTH,
-		Value:    obfuscate,
+			Name:     COOKIE_NAME_AUTH + strconv.Itoa(index),
+			Value:    obfuscate[index*value_limit : end],
 			MaxAge:   60 * Config.Get("general.cookie_timeout").Int(),
 			Path:     COOKIE_PATH,
 			HttpOnly: true,
 			SameSite: http.SameSiteStrictMode,
 		})
-
+		if end == len(obfuscate) {
+			break
+		} else {
+			Log.Debug("session::auth obfuscate index: %d length: %d total: %d", index, len(obfuscate[index*value_limit:end]), len(obfuscate))
+			index++
+		}
+	}
 	if home != "" {
 		SendSuccessResult(res, home)
 		return
@ -116,12 +133,20 @@ func SessionLogout(ctx App, res http.ResponseWriter, req *http.Request) {
 			}
 		})(ctx, res, req)
 	}()
+	index := 0
+	for {
+		_, err := req.Cookie(COOKIE_NAME_AUTH + strconv.Itoa(index))
+		if err != nil {
+			break
+		}
 		http.SetCookie(res, &http.Cookie{
-		Name:   COOKIE_NAME_AUTH,
+			Name:   COOKIE_NAME_AUTH + strconv.Itoa(index),
 			Value:  "",
 			MaxAge: -1,
 			Path:   COOKIE_PATH,
 		})
+		index++
+	}
 	http.SetCookie(res, &http.Cookie{
 		Name:   COOKIE_NAME_ADMIN,
 		Value:  "",
--- a/server/ctrl/share.go
+++ b/server/ctrl/share.go
@ -7,6 +7,7 @@ import (
 	. "github.com/mickael-kerjean/filestash/server/common"
 	"github.com/mickael-kerjean/filestash/server/model"
 	"net/http"
+	"strconv"
 	"strings"
 )

@ -41,11 +42,17 @@ func ShareUpsert(ctx App, res http.ResponseWriter, req *http.Request) {
 		Id: share_id,
 		Auth: func() string {
 			if ctx.Share.Id == "" {
-				a, err := req.Cookie(COOKIE_NAME_AUTH)
+				str := ""
+				index := 0
+				for {
+					cookie, err := req.Cookie(COOKIE_NAME_AUTH + strconv.Itoa(index))
 					if err != nil {
-					return ""
+						break
 					}
-				return a.Value
+					index++
+					str += cookie.Value
+				}
+				return str
 			}
 			return ctx.Share.Auth
 		}(),
--- a/server/middleware/session.go
+++ b/server/middleware/session.go
@ -10,6 +10,7 @@ import (
 	"github.com/mickael-kerjean/filestash/server/model"
 	"net/http"
 	"regexp"
+	"strconv"
 	"strings"
 )

@ -256,11 +257,19 @@ func _extractSession(req *http.Request, ctx *App) (map[string]string, error) {
 		}
 		return session, err
 	} else {
-		cookie, err := req.Cookie(COOKIE_NAME_AUTH)
+		str := ""
+		index := 0
+		for {
+			cookie, err := req.Cookie(COOKIE_NAME_AUTH + strconv.Itoa(index))
 			if err != nil {
+				break
+			}
+			index++
+			str += cookie.Value
+		}
+		if str == "" {
 			return session, nil
 		}
-		str = cookie.Value
 		str, err = DecryptString(SECRET_KEY_DERIVATE_FOR_USER, str)
 		if err != nil {
 			// This typically happen when changing the secret key