Issue
I'm using Flask's default secure cookie session. I've seen that the size limit of a cookie is 4KB. How can I check the size of Flask's session cookie?
Solution
Werkzeug already shows a detailed warning when generating a set-cookie header if the serialized cookie value is too large (> 4093 bytes).
UserWarning: The 'session' cookie is too large: the value was 4050 bytes but the header required 50 extra bytes. The final size was 4100 bytes but the limit is 4093 bytes. Browsers may silently ignore cookies larger than this.
This is only a warning because we don't actually know what any given browser will accept, 4093 is just the lowest value in common use as of a few years ago. (What is the maximum size of a web browser's cookie's key?)
If you're storing >4k of data in a session cookie, you probably want to reevaluate how you're storing data rather than trying to add size checks. A 4k cookie means that 4k of data is being sent with every request and response. For example, you probably want to retrieve data from a database, or Store large data or a service connection per Flask session, in which case all you need to store in the session is an id to fetch the data.
If you really want to check the size of cookies programmatically, you can get them from response.headers, and check their length. Flask only serializes the session cookie right before returning the response, but you can trigger that manually so that the cookie value is available.
from flask.globals import _request_ctx_stack
@app.after_request()
def error_for_large_cookie(response):
ctx = _request_ctx_stack.top
app.session_interface.save_session(app, ctx, response)
for value in response.headers.getlist("Set-Cookie", as_bytes=True):
if len(value) >= 4093:
raise ValueError("Cookie too large.")
This will cause a 500 error (and show the traceback in the terminal) if any cookie including the session is too large. Or turn the warning into an error for the same effect but less code:
import warnings
warnings.filterwarnings("error", r".* cookie is too large", module=r"werkzeug\.http")
Checking the size of the session dict in Python with sys.getsizeof() recursively isn't useful, as the size that matters is the serialized cookie header, not the Python object size.
Answered By - davidism
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.