In what conditions next-auth may create multiple version of cookies for different domains?

[krzysztof-dk]

Hi guys. I'm working on a project using next-auth and Keycloak and facing a behaviour of having multiple cookies set for different domains as a result of oAuth login handled by next-auth.

The issue I'm facing because of that is that due to having this much cookies I'm hitting the cookie size limit of server providing me an images used in HTML tag, namely I'm getting 431 Request Header Fields Too Large error when browser tries to download the image through the HTML.

The question I have are:

1. In what conditions next-auth will create multiple version of cookies for different domains?
2. Can I tune/alert that?
3. Is this a bug/miss behaviour?
4. Could you point me to the next-auth source code part responsible for this behaviour?

The screenshot shows situation when I'm running project from localhost but this is the same after deployment.

[krzysztof-dk]

Example from deployment

env

[krzysztof-dk]

It seems that second set of cookies is created due to having issuer (https://next-auth.js.org/providers/keycloak) set to different domain than the one the page itself is using.

[benlimanto-salt]

@krzysztof-dk
You should look into

https://stackoverflow.com/a/78405808/4906348

https://next-auth.js.org/configuration/options

Cookies in NextAuth.js are chunked by default, meaning that once they
reach the 4kb limit, we will create a new cookie with the .{number}
suffix and reassemble the cookies in the correct order when parsing /
reading them. This was introduced to avoid size constraints which can
occur when users want to store additional data in their sessionToken,
for example.

[guillerg01]

If you get here, the problem is that too much user information is being saved in the session, and it seems that all of this is saved in the access token, so check that the things you save are not too large.