I noticed that a really weird thing that can happen when setting request.session objects that are too large (without any trace/notice that it is happening).

I noticed this when using authlib with fastapi, but the actual framework and library doesn't matter; what matters is that this sequence of events was happening:

1. (request 1) authlib sets some internal state in the request.session for oauth redirect
2. (request 2) then, on callback, authlib deletes the internal state after checking that the authorization flow was successful (so far, so good)
3. (still in request 2) then, I do an oopsie and unknowingly set a cookie that is too large (>=4096 bytes)

Here are a couple of reasonable things one might expect in response to this:

• throw an error, tell me that I can't do this because the session object is too large
• just return the cookie with the deleted cookie (i.e. the state of the session after step 2)

What actually ends up happening is that the session state after 1 gets returned, no error or warning message or any sort of indication is being displayed that this is happening, and you go on a wild goose chase thinking it's an authlib issue.

I wasted 4 hours on this and at the very least would like to document this issue for posterity, but this is clearly an issue that needs to be reported to the user as an error or even a log, instead of just silently reverting back to the previous state of the request.session (i.e. the state before authlib even cleared the request.session in request number 2.