[justin_oaks]

Thanks for the heads-up.

I'm curious at what would be stored in the session to make it large enough to be a problem, but it's good to know to watch out for it.

[mdaniel]

I believe it's almost always the "groups" claim <https://github.com/oauth2-proxy/oauth2-proxy/issues?q=cookie...> but I would suspect any sufficiently large set of claims would do it (e.g. a huge "iss", erroneously returning the user profile jpeg attribute, who knows)