'Claims Stored in Cookies Exceed Max Request Header Length
I have an ASP.NET Core 2.0 website using the vanilla implementation for authentication/authorization using Identity and cookies (not using OpenID Connect). I have a set of 20 roles, each of which could potentially have hundreds of claims used to permission access to site pages/features (using Authorize to decorate controller methods). I want to be able to control access to these pages/features without recompiling the site every time a change is needed; instead I allow admins to add/remove role claims directly through the site. For some reason I am hitting a ceiling based on the number of claims projected onto the user's identity.
I'm receiving an error
HTTP Error 400. The size of the request headers is too long
Any idea why I would be receiving this message? What is the best practice store/access these claims to be used with authorization?
Solution 1:[1]
Got the same problem on a Windows server. I had to resort to a registry setting.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
MaxFieldLength (DWORD) Decimal value 65534
MaxRequestBytes (DWORD) Decimal value 16777216
https://support.microsoft.com/en-ca/help/820129/http-sys-registry-settings-for-windows
Solution 2:[2]
This problem is resolved by Configuring CookieAuthenticationOptions to use Session Store. The following link explains "Auth Cookies in ASP.NET Core" and its configuration options in detail
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | i3arnon |
| Solution 2 | iman ghasemi |