# Fix partial chunked cookies

MSRC # 70242: Fix exceptions and allocations when the cookie chunk count is not accurate

## Description

Browsers have limits on how long cookies can be, as low as 4kb. It's common for TempData and CookieAuth to get above that limit, so cookies are split into chunks with the following format:

MyCookie=chunks-3
MyCookieC1=(Base64EncodedData)
MyCookieC2=(Base64EncodedData)
MyCookieC3=(Base64EncodedData)

Fixes MSRC # 70242

## Customer Impact

A malicious client could send `MyCookie=chunks-2147483647` without the actual cookie chunks and cause large allocations, exceptions, and excess CPU utilization on the server when it tried to read or delete that many chunks.

This flaw comes from the original implementation in Microsoft.Owin, but is much worse in AspNetCore when adopted by TempData due to it automatically calling Delete if reading the cookie fails.

I'll backport this to 5.0, 3.1, 2.1, and Microsoft.Owin once reviewed.

## Regression?

- [ ] Yes
- [x] No

## Risk

- [ ] High
- [ ] Medium
- [x] Low

Easy to reproduce and test.

## Verification

- [x] Manual (required)
- [x] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A