I have a situation where the HTTP Authorization request header size is more than 64kb (approximately 90kb) for a particular user. The reason for large size is because the header contains a bearer token, and the user who has initiated the http request has lot of claims.
The problem is for this particular user the web server always returns an error stating:
"HTTP Error 400. The size of the request headers is too long".
The web application is self hosted in a console application using Microsoft owin, so IIS is not involved.
While looking into the issue, I came across the http.sys parameters with this table: (excerpted)
| Registry key | Default | Valid value range | Registry key function |
|---|---|---|---|
MaxFieldLength |
16384 | 64 - 65534 (64k - 2) bytes |
Sets an upper limit for each header. See MaxRequestBytes. This limit translates to approximately 32k characters for a URL. |
MaxRequestBytes |
16384 | 256 - 16777216 (16 MB) bytes |
Determines the upper limit for the total size of the Request line and the headers. Its default setting is 16 KB. If this value is lower than MaxFieldLength, the MaxFieldLength value is adjusted. |
It denotes the maximum value for MaxFieldLength is 64kb which denotes the maximum header length handled by http.sys, and my server is set to the maximum value i.e. 65,536.
I tried increasing the value further to 131,072 out of curiosity, but as expected it did not solve the issue.
So is there any other way to increase the header maximum length?
After realizing that there is no possible solution from http.sys server on increasing the size limit beyond the stated maximum, the following solution has been implemented to overcome the problem in hand.
Disclaimer: It is more of a workaround than a proper solution.
Create a new version (v2, because these are breaking changes) of existing controllers with following changes:
"access_token" in each request body with value of bearer token for handling authorization. Ignored for unprotected end points."Deprecated" tag.