I'm using OpenAthensSP to return IdP metadata that can potentially access our service. OpenAthensSP returns this data in the form of environment variables in the HTTP(s) header, which we then read in PHP (from $_SERVER).
So far so good.
However, when mod_rewrite is used to rewrite the URL that is called by OpenAthens, the metadata (ie., the environment variables from OpenAthens contained in the HTTP header) is stripped out. I have shown this in side-by-side testing: directly calling a PHP script (metadata present) vs rewriting the URL to the exact same PHP (metadata stripped, but other values e.g. cookies present and unchanged). The values that are stripped out have very long values (too long to sociably paste here - more than 100k) - that's the only potential problem I can see. The values are correctly URL encoded.
I have tried setting things like LimitRequestFieldSize and LimitRequestLine in Apache but they don't have any effect, so I think the problem must lie with mod_rewrite.
So the question, essentially, is:
How can I keep very long values intact in the HTTP header while still using mod_rewrite?
The current solution I have is not great, I have had to do this (httpd.conf fragment from VirtualHost section):
# /discovery is the URL called by OpenAthens to supply us IdP metadata
RewriteCond %{REQUEST_URI} ^/discovery [NC]
RewriteRule .* - [L]
# ... other rewrites here to send (nearly) everything else to index.php ...
ErrorDocument 404 /index.php
This way, index.php receives the "/discovery" request and lo-and-behold the lengthy values in $_SERVER are present and correct, although a 404 is triggered, which needless to say is ugly and hacky.
What I can't do is simply send the output from OpenAthens directly to a valid page (e.g., discovery.php) because the metadata is needed to populate a login form that has to exist within the PHP framework being used - which has to start off with index.php.
(In case it matters: this is on CentOS 5.6 / Apache 2.2.3)
As someone who's used OpenAthensSP quite a bit, I know that the data is passed in the Apache sub-process environment, not the HTTP header - it never goes to the user's client. This also explains why LimitRequestFieldSize and LimitRequestLine don't have any effect - they only apply to the HTTP request header. I suspect what's happening is that your rewrite rules are interfering with the request in some way. If they're creating an internal request, you might have better luck using the apache_getenv function in PHP rather than relying on $_SERVER variables.