The cookie received from https://DOMAIN.auth0.com/authorize gets bigger every time I log out.
Leading to:
400 Bad Request
Request Header Or Cookie Too Large
nginx
I also am receiving: Failed to load resource: the server responded with a status of 404 () /user/ssodata:1
at the login screen.
Does anyone have an idea of why this is happening?
Hey there @kevin.mcginley, can you snag us a HAR file of the workflow as the error happens so we can take a deeper look at what may be occurring and DM it over to me along with the tenant name? Thanks in advance!
I wanted to follow up @kevin.mcginley on this topic and what we were able to find after looking at the HAR files you sent over.
Initially you mentioned about receiving a status of 404 for /user/ssodata. One of our Engineers @nicolas_sabena gave a terrific explanation on this that I am going to quote below:
TL;DR: the 404 from /user/ssodata is no cause for concern. Read below for more details.
When a user already has a session in Auth0 and an application requests a new token, Auth0’s Lock used to present a “Last time you logged in as john.doe@acme.com” button in the hosted login page that would let you reuse the existing session easily (no need to enter credentials again).
New tenants (or existing tenants that turn on “Enable Seamless SSO” in the tenant advanced options) behave differently: if the user already has a session in place then the login step is skipped completely so that the hosted login page is not even displayed (although the user might see other prompts such as MFA or consent).
When this “Seamless SSO” functionality is enabled (which, again, is the default and only behavior available on new tenants) the /user/ssodata returns 404 , because its functionality is not really needed anymore.
Lock still tries to call /user/ssodata anyway (because Lock, running in the browser, is unaware of the tenant configuration), but when getting a 404 response it simply assumes that there’s no session in place (which is the right assumption to make, because if there was a valid session then the login page would not have been loaded).
Now to follow up on the 400 Bad Request generated by a Cookie getting larger after each logout. From looking over the HAR file it appears you are using the Auth0 Google Dev keys in production, we would recommend generating a fresh set of keys from Google for your production use case. I have linked a supporting doc below that can help you on that front.
Can you check if this works for you now? Not sure what the expiration time was at the time those cookies were set but if they are still there you might have to clear them.
https://cdn.auth0.com/js/lock/11.13/lock.min.js will no longer generate cookies in the HLP. I just checked on my side and the extra cookies are no longer created (a few ones are still there, generated by the Auth0 domain to track the session, but no more than 5-6).
Thanks for the .HAR file @kevin.mcginley !. That helped to find the root cause: Lock v11.13 solves the cookie issue when email/password logins are used, but the problem is still there when other login methods are used (like passwordless or social providers).