Serialized session exceeds maximum session size that can be stored in cookies. Max size: 8000, Requested Session Size: 11008. #59
Comments
On Tue, Jun 30, 2015, 2:14 PM priyanka83 [email protected] wrote:
|
|
@benlucchesi : We have upgraded the cookie session plugin to the latest version and testing it out at present. The problem was intermittent and usually happening after redirects. We dint see any failed login attempts on the production logs. Will keep you posted. Thanks for the prompt response. |
|
If spring security is redirecting from a controller action due to lack of On Wed, Jul 1, 2015, 12:19 PM priyanka83 [email protected] wrote:
|
|
@benlucchesi : we upgraded the plugin version and deployed to our production environment and we are not seeing any serialized session increase exceptions. Thank you very much for your help! :) |
|
For me the problem is still persists. I see that cookies are deleted from SPRING_SECURITY_SAVED_REQUEST but then after the session gets serialized to bytes by kryo that bytes still contain gsession things!! It's easy to proove. Put a breakpoint at the end of serialize method of KryoSessionSerializer. And evaluate such expression in your ide: new File('session.txt').withOutputStream { Then open session.txt with text editor and you'll see all the cookies there. That's very strange because when you deserialize it there's no gsession cookies. I don't know how it's possible. |
|
That is very strange. To start with, what version of grails, spring On Wed, Sep 2, 2015 at 7:30 AM, denis111 [email protected] wrote:
|
|
Grails 2.5.1 , spring-security-core:2.0-RC5, cookie-session:2.0.18. Saved session in txt looks like: ava.util.HashMa���SPRING_SECURITY_CONTEX‘��org.springframework.security.core.context.SecurityContextImpÏ���org.codehaus.groovy.grails.FLASH_SCOP≈ ���java.util.concurrent.ConcurrentHashMa�������SPRING_SECURITY_SAVED_REQUES‘��¬�org.springframework.security.web.savedrequest.DefaultSavedRequest��/immogeÔ��java.util.ArrayLisÙ����org.springframework.security.web.savedrequest.SavedCookiÂ�����wasHerÂ���Ç1��������userI‰���bb80e016-7836-3124-8cca-a8fa8120933Â���java.util.TreeMa���java.lang.String$CaseInsensitiveComparatoÚ���accepÙ������text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.∏�accept-encodinÁ������gzip, deflatÂ�accept-languagÂ������es-ES,es;q=0.8,en-US;q=0.5,en;q=0.≥�cache-controÏ������max-age=∞�connectioÓ������keep-alivÂ�cookiÂ������ÒnwasHere=1; userId=bb80e016-7836-3124-8cca-a8fa8120933e; gsession-0=CK6zIAEXnf885hnozwUlZav5J/alofXZv5c6B/I8JY99YzMuZFnXPOXPFz56+zSfcyoLQlsY61K5tNvIKcB3YPcNS1rSi6Bi0Fwf4jnH4w7xTR0FTQVBulcaWKPoJyU5Pspyfzs1/N1cokbjWcL2aDxEmBObWfKsBRMSXUg2OEuT2PJdegMFwaK3kcdJ7jQzaHarvh9N00n0SiNs6kBsYvg9kxmwNNJz8BMx97ClcY7PmdBZ/In4Iyxy0aRvLXFZkT6dY9JpuCKVt/O90GU4Q3kWJ9NrJMW89iRGbW72uFn1utUwYAKz2d8LtveT5hrBLvtCxfH3DqKFJmkIOv0t6Vho7/0Mq/ko/lf/YYoADdQuZ27lTCRFDw8QIbnDLyo0ZPAvlVxivpkMkVi8XP3vR/YIZnTsMqoIVBqgjM51p9HcLBQhrvy7OYDaerBIOWzuB/..... and so on. |
|
hey denis111, I don't see how this can be a bug in the serializer - its not going to manufacture cookies in the saved request in the session. I don't know what actions are being performed in your app prior to the session being serialized, but could put a breakpoint the src/groovy/com/granicus/grails/plugins/cookiesession/SecurityContextSessionPersistenceListener.groovy and verify the session.SPRING_SECURITY_SAVED_REQUEST.cookies collection is being iterated over and that cookies are being removed. after everything is removed, can you then inspect the session.SPRING_SECURITY_SAVED_REQUEST in your debugger and verify nothing is left over. Also, can you try clearing all cookies from your browser or use an incognito mode so that you get a fresh session and then try to repro the error. It could be that your browser is sending up a bad session that always results in a redirect. If you clear cookies and you aren't able to recreate, then its likely that bad cookies were stuck in the browser. also, can you post your cookie session config settings (don't include your cookie session encryption key) If you have any other details about the scenario, that would help too - redirects, etc. |
|
I started th browser in private mode. And tried to access a protected controller (/admin) few times to provoke redirects to login screen to see how saved session grows, here's the screenshot And here's my config: |
|
Hi benlucchesi , We are also facing a similar issue with our application. We are using Grails 2.3.2 with Spring security - 2.0RC2 and Cookiesession 2.0.16.
Do we have any work around over this. Thanks, |
|
Kaushik, thanks for the feed back on this. I've gotten a couple of reports regarding I've just finished upgrading the plugin to grails 3.0 and I've got a -ben On Mon, Sep 28, 2015 at 9:54 AM, Kaushik Shelat [email protected]
|
|
Guys, I've been trying to repro the issue by failing log in attempts and I can't get the session to explode. Try something for me though.... add this setting and test out your scenario: grails.plugin.cookiesession.condenseexceptions = true exceptions are notoriously unhealthy for serializers and cookie-sessions. If an exception gets stuffed into the session, it ends up taking a ton of data into the session, possibly including references to the request which contained the cookie. If this happened, it would explain why cookies keep reappearing in the session even though the saved request gets cleared out. Please try this and let me know how it works. -ben |
|
Should the same config option work for 2.0.18? (seems not or just not solves the problem) |
|
the condenseexceptions option does work for 2.0.18, however, I was finally able to repro the issue and condenseexceptions didn't help. I'm working on root cause now... |
|
Guys, I haven't found the root cause of the issue, but I have a work around until I do. The strategy is as follows:
To remove the exception translation filter, add this to the Config.groovy add this mapping to your URLMappings.groovy If you don't have an ErrorsController.groovy, create one and add this method: In your login page render the redirecturl into the form as follows: the spring-security-redirect is a special form param picked up by the authentication handler and performs the redirect. Based on my experiments, this method seem to be a good work around and drastically reduces the size of the serialized session. Please let me know if this is successful for you. -ben |
|
That's seems to work for now! But just how do i supress exception message in the output log? |
|
Thanks Ben. This worked for me too. Though, I still have a concern with my cookie size. After removing the SAVED REQUEST from session, the cookie size comes around 1500b . I see many websites (Ex: Facebook and Linkedin ) where the session cookies, which might be storing much more information are very small in size. ! Using kryo does reduces my cookie size to almost half but the serializer doesn't work for me (as you have mentioned in the docs) ! Thanks for the help |
|
Facebook definately doesn't use any generic session of any generic server/framework and has some custom implementation to store it's certain things, I think. But about the size and serialization. Does any (de)compression applied to the cookie before saving/reading it? If not then maybe some fast algorythm wouldn't impact much the server performance? Like snappy or what is the latest fastest compressor exists... |
|
Guys, I'm really glad to hear things are working with the fix. Firstly, the cookie-session plugin has integrated compression. Check your Secondly, don't just shove anything into a session. Instead of storing Finally, always try to use the kryo serializer - it gives you far more Regarding facebook or other apps and cookies session - consider for a FYI - I've got a working version that upgrades the kryo serializer to the -ben On Fri, Oct 16, 2015 at 4:22 AM, denis111 [email protected] wrote:
|
|
Great news, waiting for updated kryo!. About compression: yes, i see gzip in source code but just wanted to mention that there's also fater algorythms that maybe some users might like for server performance (like lz4 one): http://java-performance.info/performance-general-compression/ |
|
May be fixed in https://github.com/double16/grails-cookie-session/tree/release/4.0.0 dependencies { |
We are using cookie session plugin in our application with spring security enabled . Seems like there is some unwanted data being stored in session which is causing the session size to increase dramatically. I have tried all of the above suggestions, bumping the number of cookies to 4 and increasing the header size and cookie session timeout. When increasing the number of cookies to 4 , it is having some issues when we try to logout /login. The exception we see is :
ERROR cookiesession.CookieSessionRepository - cause: null
java.lang.RuntimeException: = character not at end of base64 value.
Also we are seeing exceptions when it tries to deserialize the session and throws some gzip related to exceptions
This is the setting we have on config groovy:
grails.plugin.cookiesession.enabled = true
grails.plugin.cookiesession.encryptcookie = true
grails.plugin.cookiesession.cryptoalgorithm = "AES"
grails.plugin.cookiesession.secret = cookieSecret
grails.plugin.cookiesession.cookiecount = 1
grails.plugin.cookiesession.maxcookiesize = 8000
grails.plugin.cookiesession.sessiontimeout = 3600
grails.plugin.cookiesession.cookiename = 'gsession'
grails.plugin.cookiesession.condenseexceptions = true
grails.plugin.cookiesession.springsecuritycompatibility = true
Any help will be appreciated as this is causing too much havoc on our producion environment. The application is hosted on jboss 6.1 EAP.
The text was updated successfully, but these errors were encountered: