4

I have a test application that I am using to test integration with my WSO2 Identity Server IDP. When run by itself it works just fine. It makes an .AspNetCore.Antiforgery cookie and an .AspNetCore.Cookies cookie. The anti-forgery cookie is 190 bytes and the main cookie is 3.7K bytes.

But if I login to another application first, then load my my test harness page, it get 4 additional cookies:

  • .AspNetCore.CookiesC1 - 4K Bytes
  • .AspNetCore.CookiesC2 - 4K Bytes
  • .AspNetCore.CookiesC3 - 4K Bytes
  • .AspNetCore.CookiesC4 - 1K Bytes

These additional cookies put me over a limit of some kind, because a page loads with the following error (instead of my application):

Bad Request - Request Too Long
HTTP Error 400. The size of the request headers is too long.

I don't know how to see what is in these additional cookies because they are base 64 (and I think they are encrypted).

My question is, why would ASP.Net core add so many extra cookies just because I logged into another site (using the same WSO2 IDP, but a different OIDC application)? And can I prevent it from happening?

Additional Notes:

  • As I reproduce this over and over to get details, I am noticing that sometimes it can add the extra cookies, but not give the error message. When that happens, the only difference seems to be that the original cookie of .AspNetCore.Cookies is changed to read "4 chunks" instead of its long value. But this is only on the second application. The other seems to be able to load it fine with the extra size (and I have tried reversing the order...) I am very confused...
Maduranga Siriwardena
  • 1,341
  • 1
  • 13
  • 27
Vaccano
  • 78,325
  • 149
  • 468
  • 850
  • Large cookie values are broken into chunks https://github.com/aspnet/Security/issues/1536 – Jeremy Lakeman Dec 17 '20 at 00:58
  • But why is it adding them? Why would it care that I logged into another application on a different tab? – Vaccano Dec 17 '20 at 01:04
  • What do you mean by "if I login to another application"? This cookie represents the user and their claims. (https://hajekj.net/2017/03/20/cookie-size-and-cookie-authentication-in-asp-net-core/) – Jeremy Lakeman Dec 17 '20 at 01:10
  • So, I have two applications, both from the same IDP, but setup as different OIDC applications in there. If I login into only one of them, all is fine. If I login to both (on different tabs) then the above errors start to happen. Somehow it is getting way more cookies when another tab has logged in already. – Vaccano Dec 17 '20 at 01:12
  • check the two sites login controller, view what cookie it set to the response. if too many information you want to set in cookie, why not set it into header(without size limit but need to be set on every request), IMO the cookies you said may not .net core set but by programmly – Jack Martin Dec 17 '20 at 01:42

1 Answers1

2

This often happens when you have too many claims in your user identity. What you might try doing is modifying your application so that it only keeps the most commonly used information about your user in claims and does an on-demand lookup for the others.

GlennSills
  • 3,977
  • 26
  • 28
  • I thought that might be the case, but I checked the JWT and it is very small. (By mistake the vast majority of claims are not being added.) – Vaccano Dec 18 '20 at 17:35