Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IdentityServer3 idsrv.partial cookie gets too big

After login when redirecting the user using context.AuthenticateResult = new AuthenticateResult(<destination>, subject, name, claims) the partial cookie gets so big that it contains up to 4 chunks and ends up causing "request too big" error.

The number of claims is not outrageous (in the 100 range) and I haven't been able to consistently reproduce this on other environments, even with larger number of claims. What else might be affecting the size of this cookie payload?

Running IdSrv3 2.6.1

like image 568
danijels Avatar asked Jun 01 '18 11:06

danijels


People also ask

How to fix “request header or cookie too large” error?

Request Header Or Cookie Too Large” by checking and deleting the cookies of that particular domain in the cookie section of the Chrome. Here are the details. Step 1:Open Google Chrome and click the Settingsoption.

What does Identity Server do?

It supports a wide range of clients like mobile, web, SPAs and desktop applications and is extensible to allow integration in new and existing architectures. On these pages you can find updates, documentation and information about identity server and related projects from us and the community.

What if a cookie is set without the 'SameSite' attribute?

A cookie associated with a cross-site resource at {cookie domain} was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`.

How do cookies get sent to a specific domain?

In short, the normal cookie specification says that if a cookie is set for a specific domain, it will be sent to that domain with every request the browser makes. No matter if you directly navigate to that domain, if the browser just loads a resource (i.e. an image) from that domain, sends POST requests to it or embeds a part of it in an iframe.


1 Answers

I assume that you are using some .NET Framework clients, because all of these problems are usually connected with the Microsoft.Owin middleware, that has some encryption that causes the cookie to get this big.

The solution for you is again part of this middleware. All of your clients (using the Identity Server as authority) need to have a custom IAuthenticationSessionStore imlpementation.

This is an interface, part of Microsoft.Owin.Security.Cookies.

You need to implement it according to whatever store you want to use for it, but basically it has the following structure:

public interface IAuthenticationSessionStore
{
    Task RemoveAsync(string key);
    Task RenewAsync(string key, AuthenticationTicket ticket);
    Task<AuthenticationTicket> RetrieveAsync(string key);
    Task<string> StoreAsync(AuthenticationTicket ticket);
}

We ended up implementing a SQL Server store, for the cookies. Here is some example for Redis Implementation, and here is some other with EF DbContext, but don't feel forced to use any of those.

Lets say that you implement MyAuthenticationSessionStore : IAuthenticationSessionStore with all the values that it needs.

Then in your Owin Startup.cs when calling:

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies",
            SessionStore = new MyAuthenticationSessionStore()
            CookieName = cookieName
        });

By this, as the documentation for the IAuthenticationSessionStore SessionStore property says:

// An optional container in which to store the identity across requests. When used, // only a session identifier is sent to the client. This can be used to mitigate // potential problems with very large identities.

In your header you will have only the session identifier, and the identity itself, will be read from the Store that you have implemented

like image 88
m3n7alsnak3 Avatar answered Oct 06 '22 03:10

m3n7alsnak3