Avoid exceeding 4K cookie size limit by setting an upper limit on path size when using login_return_to_requested_location?

Returning to requested location is a nice to have, but not a hard
requirement, and few legitimate cases will exceed the limit. Not
having a limit allows an easy way to unauthenticated users to force
cookie too large exceptions in applications.

This adds a login_return_to_requested_location_max_path_size
configuration method to change the limit.

Author: jeremyevans

CHANGELOG

@@ -1,3 +1,7 @@
+=== master
+
+* Avoid exceeding 4K cookie size limit by setting an upper limit on path size when using login_return_to_requested_location? (jeremyevans)
+
 === 2.38.0 (2025-01-15)
 
 * Make verify-account-resend page work if verify_account_resend_explanatory_text calls verify_account_email_recently_sent? (jeremyevans)

doc/login.rdoc

@@ -23,6 +23,7 @@ login_page_title :: The page title to use on the login form.
 login_redirect :: Where to redirect after a sucessful login.
 login_redirect_session_key :: The key in the session hash storing the location to redirect to after successful login.
 login_return_to_requested_location? :: Whether to redirect to the originally requested location after successful login when +require_login+ was used, false by default.
+login_return_to_requested_location_max_path_size :: The maximum path size in bytes to allow when returning to requested location, 2048 by default to avoid exceeding the 4K cookie size limit
 login_route :: The route to the login action. Defaults to +login+.
 multi_phase_login_forms :: An array of entries for authentication methods that can be used to login when using multi phase login.  Each entry is an array of three elements, sort order (integer), HTML, and method to call if this entry is the only authentication method available (or nil to not call a method).
 multi_phase_login_page_title :: The page title to use on the login form after login has been entered when using multi phase login.

lib/rodauth/features/login.rb

@@ -15,6 +15,7 @@ module Rodauth
     auth_value_method :login_error_status, 401
     translatable_method :login_form_footer_links_heading, '<h2 class="rodauth-login-form-footer-links-heading">Other Options</h2>'
     auth_value_method :login_return_to_requested_location?, false
+    auth_value_method :login_return_to_requested_location_max_path_size, 2048
     auth_value_method :use_multi_phase_login?, false
 
     session_key :login_redirect_session_key, :login_redirect
@@ -95,7 +96,7 @@ def login(auth_type)
     end
 
     def login_required
-      if login_return_to_requested_location? && (path = login_return_to_requested_location_path)
+      if login_return_to_requested_location? && (path = login_return_to_requested_location_path) && path.bytesize <= login_return_to_requested_location_max_path_size
         set_session_value(login_redirect_session_key, path)
       end
       super

spec/login_spec.rb

@@ -191,6 +191,33 @@
     page.html.must_include 'Passed Login Required: bar'
   end
 
+  it "should not return to requested path size if it is too long" do
+    path = "/a"*1024
+    rodauth do
+      enable :login, :logout
+      login_return_to_requested_location? true
+      login_return_to_requested_location_path do
+        path
+      end
+      login_redirect '/'
+    end
+    roda do |r|
+      r.rodauth
+      rodauth.require_login
+      ""
+    end
+
+    visit '/page'
+    login(:visit=>false)
+    page.current_path.must_equal path
+
+    path = "/a"*4096
+    logout
+    visit '/page'
+    login(:visit=>false)
+    page.current_path.must_equal "/"
+  end
+
   it "should not allow login to unverified account" do
     rodauth do
       enable :login