Closed shortstack closed 4 years ago
When this occurs, can you capture the request headers out of the browser debugger?
Also, if you can grab the exception in the FusionAuth logs that would be helpful as well. /usr/local/fusionauth/logs
.
Tomcat has a default maxHttpHeaderSize
of 8k, so perhaps we are hitting that limit. If you can recreate easily, you could try increasing this value to see if it alleviates the issue. That would tell us if we are on the right track.
thank you! grabbing shortly
the exception i see in the logs is what i pasted above
i am an idiot and didn't grab the headers (outside of the params in the links above) before i implemented the change in tomcat
i did, however, see that the request size for https://REDACTED/oauth2/authorize
was 13k and the request size for https://REDACTED?tenantId=REDACTED/oauth2/passwordless
was 2k
i bumped up the maxHttpHeaderSize in server.xml for the HTTP and HTTPS connectors and restarted, and i can no longer replicate the issue, which i was able to do several times previous to making the change
i'm going to try again in a little while and see if i can continue to break it
you said "That would tell us if we are on the right track." -- do you suspect this is only a bandaid and that there is another issue? or is it just that much header/session data? there is also an AWS ALB session cookie being sent since this is behind an ALB
08-May-2020 01:27:58.511 INFO [https-jsse-nio-9013-exec-3] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Request header is too large
at org.apache.coyote.http11.Http11InputBuffer.parseHeaders(Http11InputBuffer.java:589)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:700)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
08-May-2020 01:28:22.188 INFO [https-jsse-nio-9013-exec-4] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Request header is too large
at org.apache.coyote.http11.Http11InputBuffer.parseHeaders(Http11InputBuffer.java:589)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:700)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
do you suspect this is only a bandaid and that there is another issue?
No, not necessarily. It could just be your use case is producing a huge request header of some sort. It is larger than I would expect, but increasing the size may be a decent solution.
For it to a be permanent solution, we'd have have to ship Tomcat with this configuration, or provide some configuration option. I found a bunch of StackOverflow threads that indicate people just bump it up to 32k or 64k. I think in theory there is some additional risk of DDOS when this value is allowed to be un-necessarily large.
I did also notice that between older and newer version of Tomcat they have changed the default from 4k to 8k, and yet other articles indicate if you're using kerberos or similar tech that you may need to bump the max to 32k. This all seems to indicate that the "reasonable" size is getting bigger as we find more uses for HTTP headers.
Perhaps with all of the state values that get passed around the default of 8k is too small.
The state value that is on that URL looks to be double Base64 encoded, so not sure what is happening there. We may have to attempt to recreate, but if you can collect the headers from the browser debugger that would be helpful.
there is also an AWS ALB session cookie being sent since this is behind an ALB
With regards to seeing the full headers, I'm mainly interested to see if that is all on the request itself, or if there is a Set-Cookie
header that is adding to the length of the total request. This sounds like there may be several cookies adding to the length of the request headers.
Related info on max header sizes https://help.heroku.com/TQ80D553/why-do-i-get-a-400-bad-request-response-when-i-have-large-cookies https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html
In summary, I think your workaround to increase the max size seems reasonable. We'll review to see if we want to increase this in our shipped configuration and perhaps if we should expose this configuration in case it needs to be modified in the field.
Thanks for testing the workaround.
yes, definitely--one of my first thoughts was how does bumping this up affect potential for another attack vector, but if it's required with so much data... might not be an option. i also noticed the default, because i was initially looking at 8.0 but then realized FA is on 8.5. figured surely that would be enough but, maybe not.
the ALB session data especially is about as big as the session data in the requests i posted above. this might be an edge case since multiple layers but we surely can't be the only people using FA as an IDP behind cognito.
will post headers later! thank you much for your help!
Request Size: 13.4 kB
:authority: REDACTED
:method: GET
:path: /oauth2/authorize?client_id=REDACTED&redirect_uri=REDACTED&scope=openid&response_type=code&state=ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaV04wVlZKSklqb2lhSFIwY0hNNkx5OW5jbUY1Ykc5bkxtNWxkSGR2Y210a1pXWmxibk5sY21GdVoyVXVhVzh2YjJGMWRHZ3lMMmxrY0hKbGMzQnZibk5sSWl3aWNtVnpjRzl1YzJWVWVYQmxJam9pWTI5a1pTSXNJbkJ5YjNacFpHVnlWSGx3WlNJNklrOUpSRU1pTENKelkyOXdaWE1pT2xzaWIzQmxibWxrSWwwc0luTjBZWFJsSWpvaWJYaEtVbGN6ZW1wMmNrSnFWU3MyTVZWR1JGTlZUamx4WXpaTlZVUjRUVmhxUVU5R2NITXdUMVZVYmpWc05WZHNOR3cxWkhKWlFXcFFlbmR2UVZJeFVGWTNXa1JwZHpoM2EyaGhRVWhsUVRkdFNWSlRiRWhYYUdkQldGaGhjREZRWmpaMGJVUndRa0ZPYmxwS1JHTlNaME5IYmpoSWN6SnBObnBGUjNCaVMydzFXR0V4VUdaSlZuQXJOMXhjTDJKcFMxZHFaMEpGT1V0RFkxZDJkVTVMYTJSMlQyUXpUelJaZFdkTVJWUjBSRU0xVm1wdlNuaFFWRFZ0VGpSb2JXeFJaR0pSWkdJcllqVlhNMmh3VEc4aUxDSmpiMlJsUTJoaGJHeGxibWRsSWpwdWRXeHNMQ0pqYjJSbFEyaGhiR3hsYm1kbFRXVjBhRzlrSWpwdWRXeHNMQ0p1YjI1alpTSTZJbGwzT1d4T09WODNNV3RSYkZGUldGVTJRbGxCWlRsQldWUnBTVFJPTXkwdGRVeHFRMFpmWDJwR2RIWm1kVkZ2TjFwUk9HOXNWalJ2WWtKR1dIWnZkRlUxYzFaQlJsOWZTVVZ3YVRSR2MxSk1kRXBTUzNjeE9WVXhYemg2UTNoNmRFcE5kRGRXV25ORU4yNUlhblZDYUhSWlZIbHBSM1pGWkVkbWVYVkdRM1ZJZVRWYWMwaG1Zamh6VmtwemVUTXRNV28yZVZGUWNXVkZja2Q0YjJOdk4wTk5URTVJYjNWQloyOHhjeUlzSW5ObGNuWmxja2h2YzNSUWIzSjBJam9pY21WamIyNHRibVJ5TG1GMWRHZ3VkWE10WldGemRDMHhMbUZ0WVhwdmJtTnZaMjVwZEc4dVkyOXRJaXdpWTNKbFlYUnBiMjVVYVcxbFUyVmpiMjVrY3lJNk1UVTRPRGsxTmprMU1Td2ljMlZ6YzJsdmJpSTZiblZzYkN3aWRYTmxja0YwZEhKcFluVjBaWE1pT201MWJHd3NJbWx6VTNSaGRHVkdiM0pNYVc1cmFXNW5VMlZ6YzJsdmJpSTZabUZzYzJWOTpaTXZrRjljaG1OUlRVM05ZbkM5RVJqdlRmWG4zaWJ5bDA1RGVTUWR4Ym5zPToz
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
cookie: fusionauth.locale=enUS; fusionauth.trust=00-NsVPD3RMMRad31wAhoc_BNWAS8XB7BbqI273XKI; AWSELBAuthSessionCookie-0=ErfYgwAxJ0tG+iU6xd7LfUOqXRvQBUgxBS6gLmxhwmkp5QwIDy/mnwZmLMwznLLUqhKSCzZzl/VFYO6fwFN3XNjr8RpqTnJUlb+ypDL334N5IFv/zmOyLShan8qB+9nW9sjz7qgdUewB78mDQYHANXBMbDwCAXFldCHvSsoQ8cHg4OeQgi/PoHcb3lgrbyhXYIcnfuvNr4CBeD9VapNfKAC2A8RXKD+Tlyl/jzRJHWSaLnhskXwr6/8nq5kgc7EQSSdkT0iQX0b1SwiKrPXmS/HCo4BdLMQfOBaxZT4JOaufshMYCViKZcRRnIzS6nzxKAxBlyfZnye7A53rLsWzZhtNmNnjD1k2Ix6rhTG2g37beUUhvQZlrUtnqxVHOMdtHaaQLWqlrXgaOhU0rDZdR2V/uMu0tBnQ0Ck+lWEYufF22nHOfw/ibwKBvRfnujhjIOJCFG+0JQ1CZVStY7WdYFYBpge6MVepZ8f7OBXniEfuHPi3NDUHyoe03fZqkklhmhfrPPKNekM/xjvRkXp7qi19FbeR7oOhK6ltZ++9eQ0LudbuB/i+TXMwOo4stdclkME4+25zBuzrKYJ5iUZqpo5zIsYyy382qj3PZ5+Xy2ReOzoX7Qrr8CVtDbrEBgVO0VUc+Et8Rws1y50FM8zpyXaMODj35egoOPC30xSkTnO/CIQI9ScrUqI6iJv+zd3GhGqxgAApqdX9qvf1vq7BYZvBS8g2OIKlV2aMlc987Kf9DHB9xLYYe9vJ+vhMbzBVWkX/NM5aBNDGuBnMuba9eeiLxOush30ZNoT5UwifXGq9WYT+WsWSypfU1DacSWkKph5OvXLLg3DZk2zpyHp3Qv4Pgk7riFsSF/58WdkM9G+10BwP2Vo7vCMNG0Blxgc6kumxdYLptlbx/ZxEVYTk1XwGvtQVGBNW5QJki+RcMKG6sms1lj7q2BydOHEuv8Ie0uhYF42SFpA+L3HAzMXcCiGITVm50V5MPjf7prCaVKaKbaRNXpHXI2bwULIUfG0KM0AQ/CFzwFyP+OQJJHriPBPRuN8NfmniVnEu+GtQ08s7BPr7rpLEnm+0qZOaY7+26Sdh+tldVlod0KZmfdgGm+UoQVeNGqI3y14YRiGqsGI+3IN5JrCJ2tg6VYE+Y6FBVct/p8dL6mezhwjj+Cqmpn52juPDthvSttBs7sbkXjIdoHqvaJc2H8Fmmx/duJ76bwGeq1B/MvSKOIxSqgRlYiCQiisY4m9CVnjgGzyQRuY7pMvsJi4rB6j+wQG9wNIVtYspWO3bKfbiJWmXi16cVZkQovUaLXUkc2b1fUXet1G6vXM9w6YELCBDERX/lztuOHzNJr3SkA30mPDZTfQsBGeStY53Gh23CmwUsGzLTNeNgAHoumpfAQiV0O9sg39jl5YztEkCDL7u+TgVmMM649kWewlQqoYkNQlxMFbTralgR0a2kXlZ+XnvOx5mMFopuAS18hOKFxqYPUhgKtuTDx9t57zoScqWurpbQFjdNuxhEYKovEAG1Q2H9LgJAkPB2u9YFFQsyoIABUodw54xY6pyu3usv9DIEfrDrQ3fJvXDPlqFdHgll9U+0WyoQL+hghoXYDlyIlOEFIVr/UzPN8J+ytSPNw6JJI8LYwxeXeQ6I5RJ6sN2IsKeE7zpVG7CwmYGDV1KswNR7K53NKK8XfzOftXq4xO7Pk59nsFbVt7Obh5hFl29jAmavh93yxIFNc/yLuKRoQpGA0izsh8H6y0VAvQV5m6MwvijtD5S570nV2VAUcea9OaE9Oanp3QtScavkkCOJF03pXcxPtz96TBgJEnO2fp6juKyyZy6i7qxHGrl56mGM9X6nMU0jch2rQxU98z4dkiKwfeDd8iWr0MVKIuAa7tWvgX1zamB9C0LPERtpB3izgRLToE9pKPZA1fT9gY7JBpcqySuQAcrL2Ky43PjB0RQfH1hpXvQqGgJaqzzjVt7+5mlFszEZvRuMkTv6YKQpyOu5W4hCbk9X7wfFcC5RgLGmIS6+VZHepPVcQmxE1qDP+QjKoqRn7DYTW0halz31jCFvjCiYC0bn4EhPiY90GA73HsqlbVC9JRPccygPuxr44wgUJUFYeSdvh3VZIABPltYcHZ4FS+gpBSvN0YosdzLWHUMZ62KFrK3mHwHRL9fmvoHw2M7HIPrJ52TSp0gnK9oRd58sLV9nwenAQu5yZwWnSAvOuMOJyTqZ+maBzEmddW56kXxrbKVGbdNGersrDBb9kQmd9J6CCcMsDkols2P7g5gl2ap5tAjnqsoHWmnz0oofso4xoJ1HS+SkdBzrNOXciqPltIsGtCa2RD2SeY118JED9wAEnpoAaZHtDsXju1mnh4DMTPnXN7oTSfYOmqvbnZuIt4SFiSo2bfhJdBILDCGHLChufAho2PkelT7eemqml+v87hdDjSNp6FJik0FX/mdaqRVkFnSYDpBVtpcjV4exyLOzvZXiI/AmrSNdIXGvJsCs7seAAiFpaSlPpd9QqfLB3u2iXkQDskWSDhPi9OORQuuxkMa+UQjpwwxeQot6SzJXtSRFFFS6eCJALfodS7w8axqR3x2f96tuY4KELR7IUChVOjAZag+vDY3QZAH9/8GmCmLfZUWHbtOdOx9PgmiH4YBujf2nyJ2KhCxx4gCjqZQEeG1giDWGnCcNITO9s5sy8gAF3ST3rlpXC4I9Bvt6mzj5JruIY6dotgsH/dbkzWHmuCLFobc5lCDqgEj5zcfJA3KEIQbXqvGYM+sClamtioUgvQ3m0O5PLI+wgmgnN9Nl3Iiwccthj8kE9rugbgih10eQQ5vBCoeyJPejr+AZYQk6DqM8rtC4+tgenXApVOjDxgjd28ld8/160blv+Inj8yxMWBF+rmR+OqMBeGRjNqckXLnwS940VrbTGZTRLYoSEGvtMrx5DlKs4ONNHxNW3AlWSffR9St7aRhPkABm/Fwl37AqYOmNEEX0VsA9OeBQ8HX6uD+PaCf6R42jwd96DDp3fbLHyiE7Wp8dml8AyLJQycLRUZ6M1CVuoyFqMlPcnYGIMgTld45CDKgNdHiAqFKzRzZMAHEigxbOFO36ZQpHhzLkBK9V7+uRkJNYqVzyji3pTba7wbwPXCWjYubAa/rEg8IsC9ye1MAvtQkoYB+e0yTHLYQCiUHM0XevA4L5jrplvJE4VEeGnn3IpPYWJ1WWTy8Ys1AH++FhPfjwmcU2lXE8+UIHbAt9cEk8GxdEyjqVU2ZtalyrqGUK/WabhiPysoKIkJGT8oTtUbPWrj6q899ATsmOpwXKN3JfsiHJINxWck854/Rl+m7dYpphkt7bjHue/iOK4E2kIFkxUb2hGCsC0dV58FpmKUzG6o+n3WCgtymi79RuXPYn7lTGSKqWXPhI36wvXGSZXnRdgDvDyq1NJ0gPCOjCo8/VZX5p2zoVSC1sZEO4aBrhBNWB79nTvXEBHCXmi+noNVoEbBXJuAkiVpVUWQXurd3qYhKPXnNPkkcpm0jPmyMYCxP3SozP2j3Kb3TUQy166GSS2oYmSdeXoQQPibLlazoeXhfmAF7UKOHwWKf1C1z382893ULpRiyVyAfeTMPNEGc5EUSQrQXC1nm4MLI0vXFAsMX8DjhETdzM5RDgBS1G9aqaBrJgWAH/4ABVeMqKaJHS51OBiWD2YEAI2P5Wk/0X0KnQqR5xWiy701DvKdWdLwhLPEp6em7rQfFahB9ClFoSykUS+n0mtTPlzApRNza+rL5CNl58KtQZ0tfcbDy8IS46P8DquRG9F0wVdiUlG9hgS/+RuA/LyM9lmF10uKdSm/fyeGnH+IBKwocZPvKJ2eWiEWEWrdx0YuPOQYC5HB0DkjLMee/W86sH3BdsnrbmU495/JIpkw0JwvnkBDdycVYZj0fBTKtkkK2iXDI3fJS8BQ6Tel7y7Krofpcl0PE2GJezzqwNExaVnwK2ZiQsU843DI3YmA8EOBaRyLhFm+a; AWSELBAuthSessionCookie-1=IJpuSORQQdVVOiGwQKa0sEt+MW4uUG2kpvD51IzEYuPujAuNFetNIpbkO07vEj5H66QygZ+sJE98w8Gn7SzhZniEddYklS6pb6bVBDVHShxEHqvB0RN8YWsLFxWELidMbZ92hXyl80V2; JSESSIONID=786CA5C70CBDD087B42DFA4999685F52
dnt: 1
pragma: no-cache
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
client_id: REDACTED
redirect_uri: REDACTED
scope: openid
response_type: code
state: ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaV04wVlZKSklqb2lhSFIwY0hNNkx5OW5jbUY1Ykc5bkxtNWxkSGR2Y210a1pXWmxibk5sY21GdVoyVXVhVzh2YjJGMWRHZ3lMMmxrY0hKbGMzQnZibk5sSWl3aWNtVnpjRzl1YzJWVWVYQmxJam9pWTI5a1pTSXNJbkJ5YjNacFpHVnlWSGx3WlNJNklrOUpSRU1pTENKelkyOXdaWE1pT2xzaWIzQmxibWxrSWwwc0luTjBZWFJsSWpvaWJYaEtVbGN6ZW1wMmNrSnFWU3MyTVZWR1JGTlZUamx4WXpaTlZVUjRUVmhxUVU5R2NITXdUMVZVYmpWc05WZHNOR3cxWkhKWlFXcFFlbmR2UVZJeFVGWTNXa1JwZHpoM2EyaGhRVWhsUVRkdFNWSlRiRWhYYUdkQldGaGhjREZRWmpaMGJVUndRa0ZPYmxwS1JHTlNaME5IYmpoSWN6SnBObnBGUjNCaVMydzFXR0V4VUdaSlZuQXJOMXhjTDJKcFMxZHFaMEpGT1V0RFkxZDJkVTVMYTJSMlQyUXpUelJaZFdkTVJWUjBSRU0xVm1wdlNuaFFWRFZ0VGpSb2JXeFJaR0pSWkdJcllqVlhNMmh3VEc4aUxDSmpiMlJsUTJoaGJHeGxibWRsSWpwdWRXeHNMQ0pqYjJSbFEyaGhiR3hsYm1kbFRXVjBhRzlrSWpwdWRXeHNMQ0p1YjI1alpTSTZJbGwzT1d4T09WODNNV3RSYkZGUldGVTJRbGxCWlRsQldWUnBTVFJPTXkwdGRVeHFRMFpmWDJwR2RIWm1kVkZ2TjFwUk9HOXNWalJ2WWtKR1dIWnZkRlUxYzFaQlJsOWZTVVZ3YVRSR2MxSk1kRXBTUzNjeE9WVXhYemg2UTNoNmRFcE5kRGRXV25ORU4yNUlhblZDYUhSWlZIbHBSM1pGWkVkbWVYVkdRM1ZJZVRWYWMwaG1Zamh6VmtwemVUTXRNV28yZVZGUWNXVkZja2Q0YjJOdk4wTk5URTVJYjNWQloyOHhjeUlzSW5ObGNuWmxja2h2YzNSUWIzSjBJam9pY21WamIyNHRibVJ5TG1GMWRHZ3VkWE10WldGemRDMHhMbUZ0WVhwdmJtTnZaMjVwZEc4dVkyOXRJaXdpWTNKbFlYUnBiMjVVYVcxbFUyVmpiMjVrY3lJNk1UVTRPRGsxTmprMU1Td2ljMlZ6YzJsdmJpSTZiblZzYkN3aWRYTmxja0YwZEhKcFluVjBaWE1pT201MWJHd3NJbWx6VTNSaGRHVkdiM0pNYVc1cmFXNW5VMlZ6YzJsdmJpSTZabUZzYzJWOTpaTXZrRjljaG1OUlRVM05ZbkM5RVJqdlRmWG4zaWJ5bDA1RGVTUWR4Ym5zPToz
Request Size: 8.1 kB
:authority: REDACTED
:method: GET
:path: /oauth2/passwordless?tenantId=REDACTED&client_id=REDACTED&nonce=&redirect_uri=REDACTED&response_mode=&response_type=code&scope=openid&state=ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaV04wVlZKSklqb2lhSFIwY0hNNkx5OW5jbUY1Ykc5bkxtNWxkSGR2Y210a1pXWmxibk5sY21GdVoyVXVhVzh2YjJGMWRHZ3lMMmxrY0hKbGMzQnZibk5sSWl3aWNtVnpjRzl1YzJWVWVYQmxJam9pWTI5a1pTSXNJbkJ5YjNacFpHVnlWSGx3WlNJNklrOUpSRU1pTENKelkyOXdaWE1pT2xzaWIzQmxibWxrSWwwc0luTjBZWFJsSWpvaWJYaEtVbGN6ZW1wMmNrSnFWU3MyTVZWR1JGTlZUamx4WXpaTlZVUjRUVmhxUVU5R2NITXdUMVZVYmpWc05WZHNOR3cxWkhKWlFXcFFlbmR2UVZJeFVGWTNXa1JwZHpoM2EyaGhRVWhsUVRkdFNWSlRiRWhYYUdkQldGaGhjREZRWmpaMGJVUndRa0ZPYmxwS1JHTlNaME5IYmpoSWN6SnBObnBGUjNCaVMydzFXR0V4VUdaSlZuQXJOMXhjTDJKcFMxZHFaMEpGT1V0RFkxZDJkVTVMYTJSMlQyUXpUelJaZFdkTVJWUjBSRU0xVm1wdlNuaFFWRFZ0VGpSb2JXeFJaR0pSWkdJcllqVlhNMmh3VEc4aUxDSmpiMlJsUTJoaGJHeGxibWRsSWpwdWRXeHNMQ0pqYjJSbFEyaGhiR3hsYm1kbFRXVjBhRzlrSWpwdWRXeHNMQ0p1YjI1alpTSTZJbGwzT1d4T09WODNNV3RSYkZGUldGVTJRbGxCWlRsQldWUnBTVFJPTXkwdGRVeHFRMFpmWDJwR2RIWm1kVkZ2TjFwUk9HOXNWalJ2WWtKR1dIWnZkRlUxYzFaQlJsOWZTVVZ3YVRSR2MxSk1kRXBTUzNjeE9WVXhYemg2UTNoNmRFcE5kRGRXV25ORU4yNUlhblZDYUhSWlZIbHBSM1pGWkVkbWVYVkdRM1ZJZVRWYWMwaG1Zamh6VmtwemVUTXRNV28yZVZGUWNXVkZja2Q0YjJOdk4wTk5URTVJYjNWQloyOHhjeUlzSW5ObGNuWmxja2h2YzNSUWIzSjBJam9pY21WamIyNHRibVJ5TG1GMWRHZ3VkWE10WldGemRDMHhMbUZ0WVhwdmJtTnZaMjVwZEc4dVkyOXRJaXdpWTNKbFlYUnBiMjVVYVcxbFUyVmpiMjVrY3lJNk1UVTRPRGsxTmprMU1Td2ljMlZ6YzJsdmJpSTZiblZzYkN3aWRYTmxja0YwZEhKcFluVjBaWE1pT201MWJHd3NJbWx6VTNSaGRHVkdiM0pNYVc1cmFXNW5VMlZ6YzJsdmJpSTZabUZzYzJWOTpaTXZrRjljaG1OUlRVM05ZbkM5RVJqdlRmWG4zaWJ5bDA1RGVTUWR4Ym5zPToz&timezone=America%2FNew_York&metaData.device.name=Mac%20Chrome&metaData.device.type=BROWSER&code_challenge=&code_challenge_method=&user_code=
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
cookie: fusionauth.locale=enUS; fusionauth.trust=00-NsVPD3RMMRad31wAhoc_BNWAS8XB7BbqI273XKI; AWSELBAuthSessionCookie-0=ErfYgwAxJ0tG+iU6xd7LfUOqXRvQBUgxBS6gLmxhwmkp5QwIDy/mnwZmLMwznLLUqhKSCzZzl/VFYO6fwFN3XNjr8RpqTnJUlb+ypDL334N5IFv/zmOyLShan8qB+9nW9sjz7qgdUewB78mDQYHANXBMbDwCAXFldCHvSsoQ8cHg4OeQgi/PoHcb3lgrbyhXYIcnfuvNr4CBeD9VapNfKAC2A8RXKD+Tlyl/jzRJHWSaLnhskXwr6/8nq5kgc7EQSSdkT0iQX0b1SwiKrPXmS/HCo4BdLMQfOBaxZT4JOaufshMYCViKZcRRnIzS6nzxKAxBlyfZnye7A53rLsWzZhtNmNnjD1k2Ix6rhTG2g37beUUhvQZlrUtnqxVHOMdtHaaQLWqlrXgaOhU0rDZdR2V/uMu0tBnQ0Ck+lWEYufF22nHOfw/ibwKBvRfnujhjIOJCFG+0JQ1CZVStY7WdYFYBpge6MVepZ8f7OBXniEfuHPi3NDUHyoe03fZqkklhmhfrPPKNekM/xjvRkXp7qi19FbeR7oOhK6ltZ++9eQ0LudbuB/i+TXMwOo4stdclkME4+25zBuzrKYJ5iUZqpo5zIsYyy382qj3PZ5+Xy2ReOzoX7Qrr8CVtDbrEBgVO0VUc+Et8Rws1y50FM8zpyXaMODj35egoOPC30xSkTnO/CIQI9ScrUqI6iJv+zd3GhGqxgAApqdX9qvf1vq7BYZvBS8g2OIKlV2aMlc987Kf9DHB9xLYYe9vJ+vhMbzBVWkX/NM5aBNDGuBnMuba9eeiLxOush30ZNoT5UwifXGq9WYT+WsWSypfU1DacSWkKph5OvXLLg3DZk2zpyHp3Qv4Pgk7riFsSF/58WdkM9G+10BwP2Vo7vCMNG0Blxgc6kumxdYLptlbx/ZxEVYTk1XwGvtQVGBNW5QJki+RcMKG6sms1lj7q2BydOHEuv8Ie0uhYF42SFpA+L3HAzMXcCiGITVm50V5MPjf7prCaVKaKbaRNXpHXI2bwULIUfG0KM0AQ/CFzwFyP+OQJJHriPBPRuN8NfmniVnEu+GtQ08s7BPr7rpLEnm+0qZOaY7+26Sdh+tldVlod0KZmfdgGm+UoQVeNGqI3y14YRiGqsGI+3IN5JrCJ2tg6VYE+Y6FBVct/p8dL6mezhwjj+Cqmpn52juPDthvSttBs7sbkXjIdoHqvaJc2H8Fmmx/duJ76bwGeq1B/MvSKOIxSqgRlYiCQiisY4m9CVnjgGzyQRuY7pMvsJi4rB6j+wQG9wNIVtYspWO3bKfbiJWmXi16cVZkQovUaLXUkc2b1fUXet1G6vXM9w6YELCBDERX/lztuOHzNJr3SkA30mPDZTfQsBGeStY53Gh23CmwUsGzLTNeNgAHoumpfAQiV0O9sg39jl5YztEkCDL7u+TgVmMM649kWewlQqoYkNQlxMFbTralgR0a2kXlZ+XnvOx5mMFopuAS18hOKFxqYPUhgKtuTDx9t57zoScqWurpbQFjdNuxhEYKovEAG1Q2H9LgJAkPB2u9YFFQsyoIABUodw54xY6pyu3usv9DIEfrDrQ3fJvXDPlqFdHgll9U+0WyoQL+hghoXYDlyIlOEFIVr/UzPN8J+ytSPNw6JJI8LYwxeXeQ6I5RJ6sN2IsKeE7zpVG7CwmYGDV1KswNR7K53NKK8XfzOftXq4xO7Pk59nsFbVt7Obh5hFl29jAmavh93yxIFNc/yLuKRoQpGA0izsh8H6y0VAvQV5m6MwvijtD5S570nV2VAUcea9OaE9Oanp3QtScavkkCOJF03pXcxPtz96TBgJEnO2fp6juKyyZy6i7qxHGrl56mGM9X6nMU0jch2rQxU98z4dkiKwfeDd8iWr0MVKIuAa7tWvgX1zamB9C0LPERtpB3izgRLToE9pKPZA1fT9gY7JBpcqySuQAcrL2Ky43PjB0RQfH1hpXvQqGgJaqzzjVt7+5mlFszEZvRuMkTv6YKQpyOu5W4hCbk9X7wfFcC5RgLGmIS6+VZHepPVcQmxE1qDP+QjKoqRn7DYTW0halz31jCFvjCiYC0bn4EhPiY90GA73HsqlbVC9JRPccygPuxr44wgUJUFYeSdvh3VZIABPltYcHZ4FS+gpBSvN0YosdzLWHUMZ62KFrK3mHwHRL9fmvoHw2M7HIPrJ52TSp0gnK9oRd58sLV9nwenAQu5yZwWnSAvOuMOJyTqZ+maBzEmddW56kXxrbKVGbdNGersrDBb9kQmd9J6CCcMsDkols2P7g5gl2ap5tAjnqsoHWmnz0oofso4xoJ1HS+SkdBzrNOXciqPltIsGtCa2RD2SeY118JED9wAEnpoAaZHtDsXju1mnh4DMTPnXN7oTSfYOmqvbnZuIt4SFiSo2bfhJdBILDCGHLChufAho2PkelT7eemqml+v87hdDjSNp6FJik0FX/mdaqRVkFnSYDpBVtpcjV4exyLOzvZXiI/AmrSNdIXGvJsCs7seAAiFpaSlPpd9QqfLB3u2iXkQDskWSDhPi9OORQuuxkMa+UQjpwwxeQot6SzJXtSRFFFS6eCJALfodS7w8axqR3x2f96tuY4KELR7IUChVOjAZag+vDY3QZAH9/8GmCmLfZUWHbtOdOx9PgmiH4YBujf2nyJ2KhCxx4gCjqZQEeG1giDWGnCcNITO9s5sy8gAF3ST3rlpXC4I9Bvt6mzj5JruIY6dotgsH/dbkzWHmuCLFobc5lCDqgEj5zcfJA3KEIQbXqvGYM+sClamtioUgvQ3m0O5PLI+wgmgnN9Nl3Iiwccthj8kE9rugbgih10eQQ5vBCoeyJPejr+AZYQk6DqM8rtC4+tgenXApVOjDxgjd28ld8/160blv+Inj8yxMWBF+rmR+OqMBeGRjNqckXLnwS940VrbTGZTRLYoSEGvtMrx5DlKs4ONNHxNW3AlWSffR9St7aRhPkABm/Fwl37AqYOmNEEX0VsA9OeBQ8HX6uD+PaCf6R42jwd96DDp3fbLHyiE7Wp8dml8AyLJQycLRUZ6M1CVuoyFqMlPcnYGIMgTld45CDKgNdHiAqFKzRzZMAHEigxbOFO36ZQpHhzLkBK9V7+uRkJNYqVzyji3pTba7wbwPXCWjYubAa/rEg8IsC9ye1MAvtQkoYB+e0yTHLYQCiUHM0XevA4L5jrplvJE4VEeGnn3IpPYWJ1WWTy8Ys1AH++FhPfjwmcU2lXE8+UIHbAt9cEk8GxdEyjqVU2ZtalyrqGUK/WabhiPysoKIkJGT8oTtUbPWrj6q899ATsmOpwXKN3JfsiHJINxWck854/Rl+m7dYpphkt7bjHue/iOK4E2kIFkxUb2hGCsC0dV58FpmKUzG6o+n3WCgtymi79RuXPYn7lTGSKqWXPhI36wvXGSZXnRdgDvDyq1NJ0gPCOjCo8/VZX5p2zoVSC1sZEO4aBrhBNWB79nTvXEBHCXmi+noNVoEbBXJuAkiVpVUWQXurd3qYhKPXnNPkkcpm0jPmyMYCxP3SozP2j3Kb3TUQy166GSS2oYmSdeXoQQPibLlazoeXhfmAF7UKOHwWKf1C1z382893ULpRiyVyAfeTMPNEGc5EUSQrQXC1nm4MLI0vXFAsMX8DjhETdzM5RDgBS1G9aqaBrJgWAH/4ABVeMqKaJHS51OBiWD2YEAI2P5Wk/0X0KnQqR5xWiy701DvKdWdLwhLPEp6em7rQfFahB9ClFoSykUS+n0mtTPlzApRNza+rL5CNl58KtQZ0tfcbDy8IS46P8DquRG9F0wVdiUlG9hgS/+RuA/LyM9lmF10uKdSm/fyeGnH+IBKwocZPvKJ2eWiEWEWrdx0YuPOQYC5HB0DkjLMee/W86sH3BdsnrbmU495/JIpkw0JwvnkBDdycVYZj0fBTKtkkK2iXDI3fJS8BQ6Tel7y7Krofpcl0PE2GJezzqwNExaVnwK2ZiQsU843DI3YmA8EOBaRyLhFm+a; AWSELBAuthSessionCookie-1=IJpuSORQQdVVOiGwQKa0sEt+MW4uUG2kpvD51IzEYuPujAuNFetNIpbkO07vEj5H66QygZ+sJE98w8Gn7SzhZniEddYklS6pb6bVBDVHShxEHqvB0RN8YWsLFxWELidMbZ92hXyl80V2; JSESSIONID=786CA5C70CBDD087B42DFA4999685F52
dnt: 1
pragma: no-cache
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
tenantId: REDACTED
client_id: REDACTED
nonce:
redirect_uri: https://REDACTED
response_mode:
response_type: code
scope: openid
state: ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaT93wXlZKSklqb2lhSFIwY0hNNkx5OW5jbUY1Ykc5bkxtNWxkSGR2Y210a1pXWmxibk5sY21GdVoyVXVhVzh2YjJGMWRHZ3lMMmxrY0hKbGMzQnZibk5sSWl3aWNtVnpjRzl1YzJWVWVYQmxJam9pWTI5a1pTSXNJbkJ5YjNacFpHVnlWSGx3WlNJNklrOUpSRU1pTENKelkyOXdaWE1pT2xzaWIzQmxibWxrSWwwc0luTjBZWFJsSWpvaWJYaEtVbGN6ZW1wMmNrSnFWU3MyTVZWR1JGTlZUamx4WXpaTlZVUjRUVmhxUVU5R2NITXdUMVZVYmpWc05WZHNOR3cxWkhKWlFXcFFlbmR2UVZJeFVGWTNXa1JwZHpoM2EyaGhRVWhsUVRkdFNWSlRiRWhYYUdkQldGaGhjREZRWmpaMGJVUndRa0ZPYmxwS1JHTlNaME5IYmpoSWN6SnBObnBGUjNCaVMydzFXR0V4VUdaSlZuQXJOMXhjTDJKcFMxZHFaMEpGT1V0RFkxZDJkVTVMYTJSMlQyUXpUelJaZFdkTVJWUjBSRU0xVm1wdlNuaFFWRFZ0VGpSb2JXeFJaR0pSWkdJcllqVlhNMmh3VEc4aUxDSmpiMlJsUTJoaGJHeGxibWRsSWpwdWRXeHNMQ0pqYjJSbFEyaGhiR3hsYm1kbFRXVjBhRzlrSWpwdWRXeHNMQ0p1YjI1alpTSTZJbGwzT1d4T09WODNNV3RSYkZGUldGVTJRbGxCWlRsQldWUnBTVFJPTXkwdGRVeHFRMFpmWDJwR2RIWm1kVkZ2TjFwUk9HOXNWalJ2WWtKR1dIWnZkRlUxYzFaQlJsOWZTVVZ3YVRSR2MxSk1kRXBTUzNjeE9WVXhYemg2UTNoNmRFcE5kRGRXV25ORU4yNUlhblZDYUhSWlZIbHBSM1pGWkVkbWVYVkdRM1ZJZVRWYWMwaG1Zamh6VmtwemVUTXRNV28yZVZGUWNXVkZja2Q0YjJOdk4wTk5URTVJYjNWQloyOHhjeUlzSW5ObGNuWmxja2h2YzNSUWIzSjBJam9pY21WamIyNHRibVJ5TG1GMWRHZ3VkWE10WldGemRDMHhMbUZ0WVhwdmJtTnZaMjVwZEc4dVkyOXRJaXdpWTNKbFlYUnBiMjVVYVcxbFUyVmpiMjVrY3lJNk1UVTRPRGsxTmprMU1Td2ljMlZ6YzJsdmJpSTZiblZzYkN3aWRYTmxja0YwZEhKcFluVjBaWE1pT201MWJHd3NJbWx6VTNSaGRHVkdiM0pNYVc1cmFXNW5VMlZ6YzJsdmJpSTZabUZzYzJWOTpaTXZrRjljaG1OUlRVM05ZbkM5RVJqdlRmWG4zaWJ5bDA1RGVTUWR4Ym5zPToz
timezone: America/New_York
metaData.device.name: Mac Chrome
metaData.device.type: BROWSER
code_challenge:
code_challenge_method:
user_code:
Great, that is helpful. It does look like AWSELBAuthSessionCookie-0
and AWSELBAuthSessionCookie-1
are primarily to blame for the size of the request.
I can do some additional research into those cookies to see if there are any recommended settings to account for these cookie lengths.
If it all looks legit, we can increase our default size and / or provide some configuration.
Thanks for the excellent debug! Super helpful.
hahaha, love the rename
this is the only hiccup we've had (short of getting oauth/sso integrated with thehive, work in progress), and now it is resolved
thank you for taking this into consideration! appreciate it! we are loving this platform so far and plan to use it heavily going forward
@robotdan
My organisation just ran into this issue. It's currently affecting a whole environment and the users are unable to log in. Was there any quick fixes here?
This was fixed in version 1.17.0 which came out in June of 2020. https://fusionauth.io/docs/v1/tech/archive/release-notes#version-1-17-0
You will need to upgrade beyond this version to pick up this fix or manually update Apache Tomcat config to support a larger request header.
@robotdan From what we understand, we need to change fusionauth-app.http.max-header-size
in /usr/local/fusionauth/config/fusionauth.properties
is this something which is accessible via terraform ?
java.lang.IllegalArgumentException: Request header is too large
Description
FusionAuth running on Ubuntu 16, no other issues so far
FusionAuth is configured as the identity provider for AWS cognito for SSO on our ALBs
Requests for the magic link work fine in incognito mode every time
Getting the following error after clicking the "Login with a magic link" button after a few hours of idle time since authing
Link clicked: https://REDACTED/oauth2/authorize?client_id=REDACTED&redirect_uri=REDACTED&scope=openid&response_type=code&state=ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaV04wVlZKSklqb2lhSFIwY0hNNkx5OW5aWFIwYVc1bkxYTjBZWEowWldRdWJtVjBkMjl5YTJSbFptVnVjMlZ5WVc1blpTNXBieTl2WVhWMGFESXZhV1J3Y21WemNHOXVjMlVpTENKeVpYTndiMjV6WlZSNWNHVWlPaUpqYjJSbElpd2ljSEp2ZG1sa1pYSlVlWEJsSWpvaVQwbEVReUlzSW5OamIzQmxjeUk2V3lKdmNHVnVhV1FpWFN3aWMzUmhkR1VpT2lKMFZ6SlpWRTVxZUhWSmFHdGFTSFl5VjJVMldIRlNhR3BqWm5SSk1ESTNNRGRjWEM5M1lsbFJabFZEWlZCdU1WRnpjbkJqYm5KTFptUllTWEJCT0V4a1NVOVBZV1J1Y210V1RVSmpVMkZxTjBKUFIwYzJNbEIyTkdNNGJYTk5UMm8xYUVSVllUZHhiVGxSZFRKR1VubFphRUoyTURkWVFVeHBOV3R4VjNOUE1XNVVLMXBuZUhOQk5UQlVNSzlsWm1neFZWZHlSVTl1UTNoMFdtZG9OMWhzUm05b1FVVndXbU51WVVwTVNsQjFWMFpNZEd4SGJsTXhTVFZKVjFKNVRuRjVOelZLYzBkeGJWRm9VbFppTlNJc0ltTnZaS2ZEYUdGc2JHVnVaMlVpT201MWJHd3NJbU52WkdWRGFHRnNiR1Z1WjJWTlpYUm9iMlFpT201MWJHd3NJbTV2Ym1ObElqb2lVR05PUVhNNFYzZEdhRmx0TUhaNk0xVkljbUZ5UW1oblJWUnZNMmhKTTNkbWVraEJlRTQzU0UxcFExTk5jWE40WmpFeVpIbDNTRlZFTWtkRWVuQTJUVEI0VkVod1FuTXdSbWR3VG05NFFYbFdSMWRDTFd4Mk9VaEtUMjFQUXpGdFVYWkdlR2QwUVU1Tk1WTkdRMk5mYUU1RVEwSjZPSGxNVjI5SFRHZG1kMjFGYTFkS1VtVllVVEJHYW5SUVVXVTJUMDF6UW5kamEyNVRkVTlITmxOUlNqTlBNelJDTUhZMWExSmpJaXdpYzJWeWRtVnlTRzl6ZEZCdmNuUWlPaUp5WldOdmJpMXVaSEl1WVhWMGFDNTFjeTFsWVhOMExURXVZVzFoZW05dVkyOW5ibWwwYnk1amIyMGlMQ0pqY21WaGRHbHZibFJwYldWVFpXTnZibVJ6SWpveE5UZzRPRGsyTlRjNExDSnpaWE56YVc5dUlqcHVkV3hzTENKMWMyVnlRWFIwY21saWRYUmxjeUk2Ym5Wc2JDd2lhWE5UZEdGMFpVWnZja3hwYm10cGJtZFRaWE56YVc5dUlqcG1ZV3h6WlgwPTpEZUlBakdZYzRZZXhsTlBXeGYva29YNVYxNUc4OFMwU2tXTlIxR3lUSEY0PToz
Link sent to: https://REDACTED?tenantId=REDACTED/oauth2/passwordless&client_id=REDACTED&nonce=&redirect_uri=REDACTED%2Foauth2%2Fidpresponse&response_mode=&response_type=code&scope=openid&state=ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaV04wVlZKSklqb2lhSFIwY0hNNkx5OW5aWFIwYVc1bkxYTjBZWEowWldRdWJtVjBkMjl5YTJSbFptVnVjMlZ5WVc1blpTNXBieTl2WVhWMGFESXZhV1J3Y21WemNHOXVjMlVpTENKeVpYTndiMjV6WlZSNWNHVWlPaUpqYjJSbElpd2ljSEp2ZG1sa1pYSlVlWEJsSWpvaVQwbEVReUlzSW5OamIzQmxjeUk2V3lKdmNHVnVhV1FpWFN3aWMzUmhkR1VpT2lKMFZ6SlpWRTVxZUhWSmFHdGFTSFl5VjJVMldIRlNhR3BqWm5SSk1ESTNNRGRjWEM5M1lsbEJabFYFWlZCdU1WRnpjbkJqYm5KTFptUllTWEJCT0V4a1NVOVBZV1J1Y210V1RVSmpVMkZxTjBKUFIwYzJNbEIyTkdNNGJYTk5UMm8xYUVSVllUZHhiVGxSZFRKR1VubFphRUoyTURkWVFVeHBOV3R4VjNOUE1XNVVLMXBuZUhOQk5UQlVNRzlsWm1neFZWZHlSVTl1UTNoMFdtZG9OMWhzUm05b1FVVndXbU51WVVwTVNsQjFWMFpNZEd4SGJsTXhTVFZKVjFKNVRuRjVOelZLYzBkeGJWRm9VbFppTlNJc0ltTnZaR1ZEYUdGc2JHVnVaMlVpT201MWJHd3NJbU52WkdWRGFHRnNiR1Z1WjJWTlpYUm9iMlFpT201MWJHd3NJbTV2Ym1ObElqb2lVR05PUVhNNFYzZEdhRmx0TUhaNk0xVkljbUZ5UW1oblJWUnZNMmhKTTNkbWVraEJlRTQzU0UxcFExTk5jWE40WmpFeVpIbDNTRlZFTWtkRWVuQTJUVEI0VkVod1FuTXdSbWR3VG05NFFYbFdSMWRDTFd4Mk9VaEtUMjFQUXpGdFVYWkdlR2QwUVU1Tk1WTkdRMk5mYUU1RVEwSjZPSGxNVjI5SFRHZG1kMjFGYTFkS1VtVllVVEJHYW5SUVVXVTJUMDF6UW5kamEyNVRkVTlITmxOUlNqTlBNelJDTUhZMWExSmpJaXdpYzJWeWRtVnlTRzl6ZEZCdmNuUWlPaUp5WldOdmJpMXVaSEl1WVhWMGFDNTFjeTFsWVhOMExURXVZVzFoZW05dVkyOW5ibWwwYnk1amIyMGlMQ0pqY21WaGRHbHZibFJwYldWVFpXTnZibVJ6SWpveE5UZzRPRGsyTlRjNExDSnpaWE56YVc5dUlqcHVkV3hzTENKMWMyVnlRWFIwY21saWRYUmxjeUk2Ym5Wc2JDd2lhWE5UZEdGMFpVWnZja3hwYm10cGJtYFRaWE56YVc5dUlqcG1ZV3h6WlgwPTpEZUlBakdZYzRZZXhsTlBXeGYva29YNVYxNUc4OFMwU2tXTlIxR3lUSEY0PToz&timezone=America%2FNew_York&metaData.device.name=Linux%20Chrome&metaData.device.type=BROWSER&code_challenge=&code_challenge_method=&user_code=
Wondering if increasing the max HTTP header size in the Tomcat server config would be a fix or a bandaid on an underlying issue
Steps to reproduce
Expected behavior
To be sent to the page with the email form to receive the magic link
Screenshots
Platform
(Please complete the following information)