Anyone faces Randomly Bad Request from Client?

[taojing10]

It is randomly happen and can be fixed by remove state_xxx cookie.
v1.8.8

[zandbelt]

I'd suggest to use a recent release

[ryanblackmore]

I had constant problems with a pre 2.x.x. release with state cookies and Bad Request errors for clients (our servers were on CentOs/httpd and we migrated to Ubuntu/apache just to more easily make use of current releases of mod_auth_openidc). After upgrading, applying the suggestions listed here greatly reduced the number of Bad Requests we hear about (though it still happens sometimes and I've figured out why): https://github.com/zmartzone/mod_auth_openidc/wiki/Cookies

In particular to use the config option OIDCStateMaxNumberOfCookies 7 true you need a recent release.

[ryanblackmore]

As the maintainer said, we use OIDCUnAuthAction for non-user facing resources, so our Apache site conf has this:

    #Attempting to fix overflow cookie issue caused by too many non-authenticated requests
    <LocationMatch ^.*autocomplete.*$>
      OIDCUnAuthAction 401
    </LocationMatch>
    <LocationMatch ^.*\.js($|\?.*$)>
      OIDCUnAuthAction 401
    </LocationMatch>
    <LocationMatch ^.*\.css($|\?.*$)>
      OIDCUnAuthAction 401
    </LocationMatch>
    <LocationMatch ^/system/ajax$>
      OIDCUnAuthAction 401
    </LocationMatch>

If you're trying to replicate the issue with 1.x.x to see what's happening, I was able to replicate it with, roughly, the following steps (this is from memory, so you might have to adjust it to get it to work):

1. Open multiple browser tabs of your site. For good measure have twenty tabs open.
2. In a separate tab log out of your application
3. Force crash your browser (with Chrome you can use chrome://inducebrowsercrashforrealz )
4. Open up your browser, confirm you want to restore tabs and click through them without logging in.

Most of the time this would result in a Bad Request error that can only be resolved with a browser cache clear. I think an approximate real world equivalent is a user with multiple tabs open or a page with numerous resource requests within it being restored or used after an expired session.

[taojing10]

My situation is we have ProxyPass for APIs, once the APIs timeout, it will generate state cookie and cause the problem

[taojing10]

And you are right, after upgraded the latest version and limit 7 true it reduced the bad request cases, but it still happened for some users, wondering if any way to fix it.

[zandbelt]

there is, it is documented here: https://github.com/zmartzone/mod_auth_openidc/wiki/Cookies#state-cookies-are-piling-up but you'll need to analyze your app to configure the right URLs/Locations with the right `OIDCUnAuthAction" primitives

[taojing10]

After some testing today, I found:

1. The cookies piling up is because the proxypass, we validate the users on proxypass and if we manually delete session and reload a page which sends request to proxy directly, the state cookies will pile up, it can be fixed by using OIDCUnAuthAction pass which is not a solution for us.
2. If I make OIDCUnAuthAction 407, the chrome returns failed:net::ERR_UNEXPECTED_PROXY_AUTH instead of 407, not sure it is because proxy.
3. OIDCUnAuthAction auth true sounds like the solution for us, it will redirects users to auth url. But for some reason it blocked by CROS errors.

I will do more research to understand why.

[taojing10]

A question comes out. If I deleted the session cookie, and reopen the page to send a new request to server, will server validate the session first then bypass the request? the current the behavior seems not. (Chrome cached the html file so no request to /, it only send request to proxy server which is /apis in example. Which cause the states and problem.

Example config is:

<VirtualHost *:8080>

     <Location / >
        AuthType openid-connect
        Require valid-user
    </Location>

    <Location /apis>
        ProxyPass xxx
        ProxyPassReverse xxx
    </Location>

</VirtualHost>

[taojing10]

If I send request to /apis/xxx, looks like it go into /apis first and find out session is not exist. Can we make validate before go into proxypass? Or maybe I misconfigged.

[taojing10]

Ok, if I put no-cache, it will fire request to / first, but these resources under /apis/xxx still not validate the session first.

[taojing10]

Looks like OIDCUnAuthAction 401 fixed the issue, lets see.

[taojing10]

Hi @zandbelt is there anyway to remove all state cookie when users get the session cookie? I feel sometimes it did but sometime not.

[zandbelt]

no, there's no way to do that and it is not really possible because of parallel logins and resulting race conditions

[taojing10]

any special reason we are make state cookie as session? Would make it as regular cookies with expiration time(we have setup a expire as 5 mins) better?

[zandbelt]

not really: there's at least one browser that does (or did not) honor the expiry timestamp correctly, one would depend on the browser to do that, but moreover: when having a longer expiry time (and many users set those because they want to extend the time that a user can take to login) those cookies would survive a restart so even that could not be a solution anymore; but, https://github.com/zmartzone/mod_auth_openidc/wiki/Cookies explains the rationale

[zandbelt]

and my last comment to this topic: really all those state cookie suggestions are shallow half-baked workarounds for what the actual problem is, as explained in the page above as well