Issue with large HTTP headers for ECP authentication

[Cantor, Scott]

On 12/11/18, 6:35 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:

> I hadn't realized the LDAP authentication results included the attributes returned during authentication, hadn't 
> considered that possibility. But even if it does, why would that bloat the cookies? They'd have some fixed size increase
> of course, but it wouldn't grow over time.

This seems like the most interesting aspect to me. I think the client here would have to be doing something unusual and inconsistent, like returning that one cookie but not others (in particularly the main session cookie), causing it to keep issuing new sessions and storing them in the blob without overwriting or replacing the existing session records.

If that's true, you're buying time but not really fixing the problem with this solution, it should eventually creep back up, though it's possible that would be counteracted by the sessions timing out soon enough to avoid it being noticeable. But it's still not good behavior by the client, certainly.

-- Scott