-
Notifications
You must be signed in to change notification settings - Fork 670
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Split access token into half and store to avoid "securecookie: the value is too long" error #4863
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4863 +/- ##
==========================================
+ Coverage 58.56% 59.10% +0.54%
==========================================
Files 494 645 +151
Lines 42987 55573 +12586
==========================================
+ Hits 25176 32849 +7673
- Misses 15816 20133 +4317
- Partials 1995 2591 +596
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
@yubofredwang do you mind fixing the linting issue so that this passes all tests and we could merge it? (and sign off the commit?) |
Just FYI as I'm aware this PR is a WIP, a user is reporting the following error after using the solution proposed here: |
let me take a look another look at this issue. |
This PR doesn't touch that cookie, right, @davidmirror-ops ? Do you have more details about this error? |
@DevendraJohari24 is this still an issue in your environment? |
I just had a call with Devendra and the error message |
@yubofredwang , we did a round of testing using this in one of our Flyte clusters and it worked beautifully. Can we get this PR out of draft mode? |
Signed-off-by: Yubo Wang <[email protected]>
Signed-off-by: Yubo Wang <[email protected]>
Signed-off-by: Yubo Wang <[email protected]>
@yubofredwang actually, because of the potential impact of this, would you be willing to make this a backwards compatible change? It's okay to log people out... but the issue is that many people run multiple Admin pods (most people who aren't on single binary deployment do anyways). The concern is that during rollout, a newer version of admin with this change logs a user out, but then it redirects to an older admin (which hasn't been shut down yet). That older admin issues another cookie, and then if the user again hits the newer admin, they'll again be logged out. This is only a concern during the rollout process. Can be mitigated by just renaming the new cookie, and checking for both the old cookie and the new pair of cookies. What do you think? If you're willing to make this change, we can run our internal test again. Ty so much and sorry to be dragging this out. |
Signed-off-by: Yubo Wang <[email protected]>
Signed-off-by: Yubo Wang <[email protected]>
Signed-off-by: Yubo Wang <[email protected]>
Thank you! |
Tracking issue
#3750
Why are the changes needed?
Fix "securecookie: the value is too long" error
What changes were proposed in this pull request?
Split the access token in half and store each one in a different cookie.
How was this patch tested?
Used internally at Linkedin.
Setup process
Screenshots
Check all the applicable boxes
Related PRs
Docs link