Nextjs + NextAuth on AWS WAF rules
Unanswered
Aidi posted this in #help-forum
AidiOP
Hi, is anyone facing issue with cookie header size and default aws WAF rules???? We have a Nextjs app where we are using NextAuth for user authentication with Auth0 as identity provider. Everything seems to work just wright but when deployed on AWS, the default Web ACL rule for SizeRestrictions_Cookie_HEADER gets triggered and throws 403 error. I can see that NextAuth breaks cookie into multiple but the overall size is larger than what the default rule allows https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html. Has anyone else faced this issue?
Any pointers would helpful
Any pointers would helpful
2 Replies
@Aidi Hi, is anyone facing issue with cookie header size and default aws WAF rules???? We have a Nextjs app where we are using NextAuth for user authentication with Auth0 as identity provider. Everything seems to work just wright but when deployed on AWS, the default Web ACL rule for SizeRestrictions_Cookie_HEADER gets triggered and throws 403 error. I can see that NextAuth breaks cookie into multiple but the overall size is larger than what the default rule allows https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html. Has anyone else faced this issue?
Any pointers would helpful
AidiOP
we get 3 cookies Secure-next-auth.session-token.0, Secure-next-auth.session-token.1 and __Secure-next-auth.session-token.0 with size 3967, 3967 and 968 respectively. the collective goes over allowed 10,240 bytes
AidiOP
anyone???? any thoughts???? ☝️