Hello, After upgrading to CAS 7.1.4, we started experiencing issues with Nginx reporting buffer size limit exceeded errors during session timeout logouts.
We investigated the issue and found the root cause in the cookie removal process. When a session times out, org.apereo.cas.web.flow.login.InitialFlowSetupAction#configureWebflowForTicketGrantingTicket calls clearTicketGrantingCookieFromContext, which in turn calls ticketGrantingTicketCookieGenerator.removeAll(request, response). When the normal logout occurs, this method is not called. The removeAll method sets the Set-Cookie header for TGC across all available paths (/, /cas, /cas/) with setMaxAge(0), but crucially, it includes the entire original TGC value in each cookie. Since the TGC contains a JWT token, it's quite large, and having it repeated three times in the response headers exceeds buffer limit. We've applied a workaround by changing the Nginx configuration, but we would like to inquire: 1. *Is it intentional that during a normal logout, only one cookie is sent:* Set-Cookie: TGC=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/cas; Secure; HttpOnly While during a timeout logout, three large cookies are sent: Set-Cookie: TGC=eyJhb...VAw; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/ Set-Cookie: TGC=eyJhb...VAw; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/cas/ Set-Cookie: TGC=eyJhb...VAw; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/cas and also the first one too Set-Cookie: TGC=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/cas; Secure; HttpOnly So 4 Set-Cookie headers are sent (3 of them with value, 1 with no value, all of them with Max-Age: 0, diff paths) *2. Is it necessary for the removeAll method to include the entire cookie value?* Since the cookies are being expired with Max-Age=0, wouldn't it be sufficient to use an empty value like in the normal logout case.. Thanks for any opinion to that br Milan Siebenbürger -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/86fed558-c6a3-4200-874e-7b59b2d84a6dn%40apereo.org.
