Header Size

[bridgethuck]

So, we have a application firewall appliance blocking a response in our IdentityServer because the header is too big:

Cookie header length(4143) is greater than maximum allowed(4096)

I am going to work with our web admin to increase the size Netscaler allows for our URL but was wondering if you have a recommended size or if I should just max it out (which I believe is 64KB in Windows/IIS).

Thanks, Bridget

[brockallen]

Well, you should limit what claims you put into the cookie. If you need more claims in the app, then look them up dynamically based upon the claims from the cookie.

[bridgethuck]

Thanks Brock!

Oddly enough this is when using the thinktecture IdentityServer admin console application when doing configuration changes or adding other users. Whenever I make a change to a RP or IP or reset a user password, it blocks the "successful" message coming back as the header cookie is too large. In my thinking none of them would be much bigger than this one (4143) so maybe I just request the web admin to double the size allowed . The two blocks they found were just a couple hundred over the limit. I started with you because the process and paperwork for these updates to shared appliances like the Netscaler at my company are very painful and can take weeks and I am hoping to do this once and not have to look back. That might just be my wishful thinking though.

Thanks, Bridget

[brockallen]

Try an incognito window -- i don't know if the issue is form a single cookie or many cookies.

[bridgethuck]

I think I am good...we are going to double the size of the header cookie. I do pretty much always use incognito since I have many users I test with and have to start clean every time.

Thanks for your fast responses! Have a great day!

Bridget