Support cookie chunking to overcome 4kb limitation #1938

Closed
opened 2026-03-13 09:13:40 -05:00 by GiteaMirror · 6 comments
Owner

Originally created by @belgattitude on GitHub (Sep 16, 2025).

Is this suited for github?

  • Yes, this is suited for github

Recently I've had issue with the microsoft entra social provider with the next js integration and the latest version of better-auth (I guess all of them have this limitation).

# SERVER_ERROR:  [Error [BetterAuthError]: Session data is too large to store in the cookie. Please disable session cookie caching or reduce the size of the session data] {

It does not happen with all users, so I suspect we're very close to the 4kb limit. Some users have an idToken of 1.5kb and the access token is close to 2kb.

Next-auth implemented a cookie chunking mechanism to fix past issues. You can have a look to the doc:

https://next-auth.js.org/configuration/options#cookies

My config

export const auth = createBetterAuth({
  db: createDbBaseAuthConn({
    jdbcDsn: process.env.DB_BASE_AUTH_JDBC_URL!,
    schema: dbBaseAuthConfig.schema,
  }),
  advanced: {
    useSecureCookies: true,
  },
  session: {
    modelName: 'session',
    fields: {
      userId: 'userId',
    },
    expiresIn: 604_800, // 7 days
    updateAge: 86_400, // 1 day
    cookieCache: {
      enabled: true,
      maxAge: 5 * 60, 
    },
  },
  socialProviders: {
    microsoft: {
      clientId: serverEnv.AUTH_ENTRA_CLIENT_ID!,
      clientSecret: await getEntraSecretFromKeyvault(),
      tenantId: serverEnv.AUTH_ENTRA_CLIENT_TENANT_ID!,
      authority: serverEnv.AUTH_ENTRA_AUTHORITY,
      prompt: 'select_account', 

      // Attempt to keep the token payload size as smaller as possible
      // to not run into issues with cookie size limits
      // when using cookie session storage (limit: 4k)
      disableDefaultScope: true,
      scope: ['openid', 'email'],
      disableProfilePhoto: true,
    },
  },
});

Describe the solution you'd like

Either offer a way to customize the session reading/writing

Either a built-in support for cookie chunking

Describe alternatives you've considered

Tried to disable cookie cache, but somehow either it didn't fix the issue, either there is still a bug in the implementation.

On the other side, storing access tokens and refresh tokens in database is a bit risky

Additional context

I've forked the repo and already tried few things regarding size... Here some of my findings:

Attempt 1

Compress the cookie with gzip using this standard implementation. I tried with a cookie of 4.2Kb and could reduce it to 3.9Kb. But the gain of compressing base64 doesn't change much and make async mandatory (if we use standard web compression - works in all realms)

Idea 1

Technically cookie values does not need to be base64 encoded. I haven't investigated, but generally the overhead of base64 is between 10% to 30%.

Attempt 2

I'm trying to get an implementation of a cookie chunker... before proposing a PR, I'd like to ask what's your opinion about this

Originally created by @belgattitude on GitHub (Sep 16, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. Recently I've had issue with the microsoft entra social provider with the next js integration and the latest version of better-auth (I guess all of them have this limitation). ```` # SERVER_ERROR: [Error [BetterAuthError]: Session data is too large to store in the cookie. Please disable session cookie caching or reduce the size of the session data] { ```` It does not happen with all users, so I suspect we're very close to the 4kb limit. Some users have an idToken of 1.5kb and the access token is close to 2kb. Next-auth implemented a cookie chunking mechanism to fix [past issues](https://github.com/nextauthjs/next-auth/discussions/2628). You can have a look to the doc: https://next-auth.js.org/configuration/options#cookies My config ```typescript export const auth = createBetterAuth({ db: createDbBaseAuthConn({ jdbcDsn: process.env.DB_BASE_AUTH_JDBC_URL!, schema: dbBaseAuthConfig.schema, }), advanced: { useSecureCookies: true, }, session: { modelName: 'session', fields: { userId: 'userId', }, expiresIn: 604_800, // 7 days updateAge: 86_400, // 1 day cookieCache: { enabled: true, maxAge: 5 * 60, }, }, socialProviders: { microsoft: { clientId: serverEnv.AUTH_ENTRA_CLIENT_ID!, clientSecret: await getEntraSecretFromKeyvault(), tenantId: serverEnv.AUTH_ENTRA_CLIENT_TENANT_ID!, authority: serverEnv.AUTH_ENTRA_AUTHORITY, prompt: 'select_account', // Attempt to keep the token payload size as smaller as possible // to not run into issues with cookie size limits // when using cookie session storage (limit: 4k) disableDefaultScope: true, scope: ['openid', 'email'], disableProfilePhoto: true, }, }, }); ``` ### Describe the solution you'd like Either offer a way to customize the session reading/writing Either a built-in support for cookie chunking ### Describe alternatives you've considered Tried to disable cookie cache, but somehow either it didn't fix the issue, either there is still a bug in the implementation. On the other side, storing access tokens and refresh tokens in database is a bit risky ### Additional context I've forked the repo and already tried few things regarding size... Here some of my findings: ## Attempt 1 Compress the cookie with gzip using this [standard implementation](https://github.com/belgattitude/httpx/blob/main/packages/compress/src/compressor.ts). I tried with a cookie of 4.2Kb and could reduce it to 3.9Kb. But the gain of compressing base64 doesn't change much and make async mandatory (if we use standard web compression - works in all realms) ## Idea 1 Technically cookie values does not need to be base64 encoded. I haven't investigated, but generally the overhead of base64 is between 10% to 30%. ## Attempt 2 I'm trying to get an implementation of a cookie chunker... before proposing a PR, I'd like to ask what's your opinion about this
GiteaMirror added the nextjsenhancement labels 2026-03-13 09:13:40 -05:00
Author
Owner

@dosubot[bot] commented on GitHub (Sep 16, 2025):

Better Auth currently stores all session data in a single base64Url-encoded cookie and enforces a strict 4093-byte limit. If the encoded data exceeds this, it throws an error and does not chunk or split the data across multiple cookies. There are no built-in mechanisms for cookie chunking, nor are there extension points for customizing how session data is serialized or stored in cookies. The codebase does not currently support alternative encodings or compression, and all session data is written as one cookie value, which is why compression attempts yield little benefit and base64 overhead remains an issue. Recent changes have focused on secondary storage and session management, but none address chunking or large session data in cookies source.

To implement cookie chunking, you would need to modify the session cookie writing and reading logic to split large payloads across multiple cookies and reassemble them on read, similar to how NextAuth handles this. You'd also need to ensure that signing, expiration, and integrity checks work across all chunks, and that the approach remains RFC-compliant and secure. This would likely require changes in the core cookie handling code and careful consideration of backwards compatibility and browser cookie limits.

Until chunking is supported, the only workarounds are to minimize session data, avoid storing large tokens in cookies, or rely on secondary storage (with its own tradeoffs). If you want to propose a PR, focus on the cookie handling logic in the core package, and consider how chunking would interact with signing, encoding, and session validation.

To reply, just mention @dosu.


How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

@dosubot[bot] commented on GitHub (Sep 16, 2025): <!-- Answer --> Better Auth currently stores all session data in a single base64Url-encoded cookie and enforces a strict 4093-byte limit. If the encoded data exceeds this, it throws an error and does not chunk or split the data across multiple cookies. There are no built-in mechanisms for cookie chunking, nor are there extension points for customizing how session data is serialized or stored in cookies. The codebase does not currently support alternative encodings or compression, and all session data is written as one cookie value, which is why compression attempts yield little benefit and base64 overhead remains an issue. Recent changes have focused on secondary storage and session management, but none address chunking or large session data in cookies [source](https://github.com/better-auth/better-auth/blob/4df178463eeeced7972c9a59f902b4bbf55db30b/packages/better-auth/src/cookies/index.ts). To implement cookie chunking, you would need to modify the session cookie writing and reading logic to split large payloads across multiple cookies and reassemble them on read, similar to how NextAuth handles this. You'd also need to ensure that signing, expiration, and integrity checks work across all chunks, and that the approach remains RFC-compliant and secure. This would likely require changes in the core cookie handling code and careful consideration of backwards compatibility and browser cookie limits. Until chunking is supported, the only workarounds are to minimize session data, avoid storing large tokens in cookies, or rely on secondary storage (with its own tradeoffs). If you want to propose a PR, focus on the cookie handling logic in the core package, and consider how chunking would interact with signing, encoding, and session validation. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/69e67af5-abd8-41bf-97d5-ec1f944ec55b?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/69e67af5-abd8-41bf-97d5-ec1f944ec55b?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/69e67af5-abd8-41bf-97d5-ec1f944ec55b?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/69e67af5-abd8-41bf-97d5-ec1f944ec55b?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/69e67af5-abd8-41bf-97d5-ec1f944ec55b?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/69e67af5-abd8-41bf-97d5-ec1f944ec55b?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/69e67af5-abd8-41bf-97d5-ec1f944ec55b?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4697)
Author
Owner

@ping-maxwell commented on GitHub (Nov 8, 2025):

Cookie chunking coming in 1.4

@ping-maxwell commented on GitHub (Nov 8, 2025): Cookie chunking coming in 1.4
Author
Owner

@belgattitude commented on GitHub (Nov 9, 2025):

Thanks a lot !

@belgattitude commented on GitHub (Nov 9, 2025): Thanks a lot !
Author
Owner

@celestial-rose commented on GitHub (Nov 25, 2025):

This may have broken the auth.api.getSession with safeJSONParse failing. The session is not being outputted totally only part of it (have cookie cache on, the chunking is because the profile image is too large), therefore not a valid json.

@celestial-rose commented on GitHub (Nov 25, 2025): This may have broken the auth.api.getSession with safeJSONParse failing. The session is not being outputted totally only part of it (have cookie cache on, the chunking is because the profile image is too large), therefore not a valid json.
Author
Owner

@ping-maxwell commented on GitHub (Nov 25, 2025):

@celestial-rose Can you open a new issue and tag me?

@ping-maxwell commented on GitHub (Nov 25, 2025): @celestial-rose Can you open a new issue and tag me?
Author
Owner

@celestial-rose commented on GitHub (Nov 25, 2025):

https://github.com/better-auth/better-auth/issues/6312#issue-3664493913 thanks @ping-maxwell

@celestial-rose commented on GitHub (Nov 25, 2025): https://github.com/better-auth/better-auth/issues/6312#issue-3664493913 thanks @ping-maxwell
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#1938