Skip to content

feat: adds cookies.encode option allowing minimal cookie sizes #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: adds cookies.encode option allowing minimal cookie sizes #126

wants to merge 1 commit into from
+85 −29

Conversation

hf
Copy link
Collaborator

@hf hf commented Aug 29, 2025

Adds an experimental option encode on the cookies object when using createBrowserClient() and createServerClient().

If this is set to tokens-only then only the user's access token and refresh token will be encoded in the cookies, causing significant cookie size savings, often greater than 50%. It utilizes split session storage in auth-js, with some trade-offs such as the inability to access the user property on the supabase.auth.getSession() object in the server. This wasn't supposed to be done anyway, and getClaims() is a secure alternative for it.

hf
hf commented Aug 29, 2025
View reviewed changes
package.json
@@ -33,7 +33,7 @@
"homepage": "https://github.com/supabase/ssr#readme",
"devDependencies": {
"@eslint/js": "^9.3.0",
"@supabase/supabase-js": "^2.43.4",
"@supabase/supabase-js": "^2.56.0",
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to be bumped further once this is live: supabase/supabase-js#1545

cemalkilic
cemalkilic reviewed Aug 29, 2025
View reviewed changes
src/types.ts
*
* You should keep this option the same between `createBrowserClient()` and `createServerClient()`. When set to `tokens-only` accessing the `user` property on the data returned from `getSession()` will only be possible if the user has already been stored in the separate storage. It's best to use `getClaims()` instead to avoid surprizes.
*
* @expermental
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* @expermental
* @experimental

@j4w8n
Copy link
Contributor

j4w8n commented Aug 30, 2025
edited
Loading

Nice.

Have you considered setting the fallback for userStorage to null in each case? Then the encode option would be a great way for developers to just not store user anywhere unless we set userStorage explicitly ourselves. This has the great benefit of avoiding the warnings of supabase/auth-js#888, since Supabase source code also calls getSession() for various things that trigger the warning; more secure all around.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cemalkilic cemalkilic cemalkilic left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hf @j4w8n @cemalkilic