Welcome Guest, Not a member yet? Register   Sign In
Too many cookies in http header
#1

(This post was last modified: 02-21-2020, 07:45 AM by php_rocs.)

I'm helping a web developer with an issue. For all we know it's been happening for years and just now came to light because of a CloudFlare appliance that is now flagging things because the http header is too large.  What we've found so far is that more cookies are being delivered in the header than there should be.  There should be only one.  When I watch the cookies in the Chrome Developer there's only one cookie being sent to the browser. But, in the http header there are many.  An example is below but I shortened the cookies to save space.  This example had 6, other pages have more. I'm not sure what the maximum is but total bytes are the problem for CloudFlare.  One session we analyzed had 36 KB in the header vs. the 8 KB allowed by CloudFlare.

I also think the site is running a very old version of CodeIgniter.  Likely v1.x and upgrading that isn't an option at this time. (I will be an option this summer.)

Anybody have any suggestions?

Thanks!

-Farren


HTTP/1.1 200 OK
Date: Thu, 20 Feb 2020 17:31:55 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: auth_cookie=1d316b6aca274faaf02b84f26c0af979; expires=Thu, 20-Feb-2020 19:31:55 GMT; Max-Age=7200; path=/; secure
Access-Control-Allow-Origin: cbgrad.com
Set-Cookie: cisession=E8%2Fx%; expires=Thu, 27-Feb-2020 17:31:55 GMT; Max-Age=604800; path=/; secure; httponly
Set-Cookie: cisession=Ik0ohGO; expires=Thu, 27-Feb-2020 17:31:55 GMT; Max-Age=604800; path=/; secure; httponly
Set-Cookie: cisession=1bB2p7Z; expires=Thu, 27-Feb-2020 17:31:55 GMT; Max-Age=604800; path=/; secure; httponly
Set-Cookie: cisession=bO284kF; expires=Thu, 27-Feb-2020 17:31:55 GMT; Max-Age=604800; path=/; secure; httponly
Set-Cookie: cisession=2ByxN9r; expires=Thu, 27-Feb-2020 17:31:55 GMT; Max-Age=604800; path=/; secure; httponly
Set-Cookie: cisession=BMIliRN; expires=Thu, 27-Feb-2020 17:31:55 GMT; Max-Age=604800; path=/; secure; httponly
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Reply
#2

Set-Cookie and Cookie are not the same headers.

Set-Cookie headers come from the server and tell the client to store a cookie.
With every new request to the server, the browser will send back all previously-stored cookies to the server using the Cookie header.

While there can be only one Cookie header, it may contain a large number of name=value pairs, each representing another cookie. It depends on the user agent, but RFC 6265 suggests a limit of at least 3000. But this is in reference to browsers and Cloudflare obviously feels different about their "appliance".

If you are only seeing one from the list in your post it is probably because they all have the same name. As the name serves as the index into the cookie array you're only going to have one value assigned to that index.

I believe that Cloudflare limits headers to protect against certain DOS attacks. I thought the limit was 32KB, not 8KB. But I'm no Cloudflare expert.

All that said, I'm sorry to say I don't know how to help you. It looks like all those set-cookie headers are related to sessions so you might look through the code for superfluous attempts to create sessions.
Reply
#3

(02-20-2020, 07:13 PM)Farren Wrote:
I'm helping a web developer with an issue. For all we know it's been happening for years and just now came to light because of a CloudFlare appliance that is now flagging things because the http header is too large.  What we've found so far is that more cookies are being delivered in the header than there should be.  There should be only one.  When I watch the cookies in the Chrome Developer there's only one cookie being sent to the browser. But, in the http header there are many.  An example is below but I shortened the cookies to save space.  This example had 6, other pages have more. I'm not sure what the maximum is but total bytes are the problem for CloudFlare.  One session we analyzed had 36 KB in the header vs. the 8 KB allowed by CloudFlare.

I also think the site is running a very old version of CodeIgniter.  Likely v1.x and upgrading that isn't an option at this time. (I will be an option this summer.)

Anybody have any suggestions?

Thanks!

-Farren


HTTP/1.1 200 OK
Date: Thu, 20 Feb 2020 17:31:55 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: auth_cookie=1d316b6aca274faaf02b84f26c0af979; expires=Thu, 20-Feb-2020 19:31:55 GMT; Max-Age=7200; path=/; secure
Access-Control-Allow-Origin: cbgrad.com
Set-Cookie: cisession=E8%2Fx%; expires=Thu, 27-Feb-2020 17:31:55 GMT; Max-Age=604800; path=/; secure; httponly
Set-Cookie: cisession=Ik0ohGO; expires=Thu, 27-Feb-2020 17:31:55 GMT; Max-Age=604800; path=/; secure; httponly
Set-Cookie: cisession=1bB2p7Z; expires=Thu, 27-Feb-2020 17:31:55 GMT; Max-Age=604800; path=/; secure; httponly
Set-Cookie: cisession=bO284kF; expires=Thu, 27-Feb-2020 17:31:55 GMT; Max-Age=604800; path=/; secure; httponly
Set-Cookie: cisession=2ByxN9r; expires=Thu, 27-Feb-2020 17:31:55 GMT; Max-Age=604800; path=/; secure; httponly
Set-Cookie: cisession=BMIliRN; expires=Thu, 27-Feb-2020 17:31:55 GMT; Max-Age=604800; path=/; secure; httponly
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

The session lib is in codeigniter 1 and 2 bad.

- update the framework from 1 to 3 (or 4)
- use the session lib from 3
Reply




Theme © iAndrew 2016 - Forum software by © MyBB