Correlation/Nonce cookies accummulated causing Nginx Request Header Or Cookie Too Large

[AndyWangMSFT]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I want to echo this Open issue:
#53048
DuendeArchive/Support#1044
as we might experience the same

Also posted on Microsoft Stackoverflow:
https://stackoverflow.microsoft.com/questions/431264

Expected Behavior

Those correlation cookie/nonce cookie should disappear after login and not accumulating in browser

Steps To Reproduce

TL,DR:

When Cookie Timeout, we can not delete the
.AspNetCore.Correlation.xxx and .AspNetCore.OpenIdConnect.Nonce.xxx cookies
(Correlation cookie and Nonce cookie)

1st login (successful):
just 3 cookies:

Then, we could modify the value to be expired (or just simply delete this cookie) - to simulate Customer having idle browser activity overnight. And next day when Customer clicked/refreshed the webpage, they will have issues with: 400 Bad Request Request Header Or Cookie Too Large

To simulate/reproduce, we could edit this AspNet Cookie to be an expired timestamp or simply delete the AspNet cookie
Then, refresh the page, login still successful, but there are extra 2 cookies:

Note: these nonce cookie and correlation cookie just add another 15mins(see Expire/Max-Age) to Last Accessed Timestamp

correlation/nonce cookie will accumulate each time you delete the one liner .ASP NET cookie and then refresh/click the page

And Eventually the nonce/correlation cookie accummulated and resulted in 400 Bad Request Request Header Or Cookie Too Large

Code:

            services.Configure<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme, options =>
            {
                options.Cookie.Domain = Configuration.GetValue<string>("App:CookieDomain");
                options.Cookie.HttpOnly = true;
                options.SlidingExpiration = true;
                options.ExpireTimeSpan = TimeSpan.FromHours(1);
                options.Cookie.MaxAge = TimeSpan.FromHours(8);
                options.EventsType = typeof(CookieEventHandler); // custom cookie event handler to implement back-channel logout
                // options.DataProtectionProvider = DataProtectionProvider.Create(Constants.DataProtectionServiceName); // Include DataProtectionProvider
                 options.Events.OnSigningOut = async context =>
                 {
                     // Delete the OIDC Nonce cookies
                     foreach (var cookie in context.HttpContext.Request.Cookies)
                     {
                         if (cookie.Key.StartsWith(".AspNetCore.OpenIdConnect.Nonce."))
                         {
                             context.HttpContext.Response.Cookies.Delete(cookie.Key);
                         }
                         // Delete the Correlation cookies
                         if (cookie.Key.StartsWith(".AspNetCore.Correlation."))
                         {
                             context.HttpContext.Response.Cookies.Delete(cookie.Key);
                         }
                     }

                     await Task.CompletedTask;
                 };

            });

          options.Events.OnRemoteFailure += context =>
          {
              if (context.Request.Cookies.Count > 3)
              {
                  var cookies = context.Request.Cookies.Where(c => c.Key.StartsWith(".AspNetCore.OpenIdConnect.Nonce"));
                  var keyValuePairs = cookies as KeyValuePair<string, string>[] ?? cookies.ToArray();

                  foreach (var cookie in keyValuePairs)
                  {
                      context.Response.Cookies.Delete(cookie.Key);
                  }

                  context.Response.Redirect("/");
                  context.HandleResponse();
                  return Task.CompletedTask;
              }

              return Task.CompletedTask;
          };

Reference:
I believe this issue is similar to:

#53048
#24870

Exceptions (if any)

No response

.NET Version

8.0.403

Anything else?

[JuergenAuer]

Hi @AndyWangMSFT

that

context.HttpContext.Response.Cookies.Delete(cookie.Key);

removes the cookie from your response. It doesn't change cookies sent earlier.

If you want to remove a browser stored cookie, set the expiration in the past

_cookieObject.Expires = New DateTimeOffset(DateTime.Now()).AddYears(-10)

and send that cookie back. I'm using this to remove cookies sometimes.

[mkArtakMSFT]

Closing as a dupe of #53048
We'll reevaluate the linked issue for .NET 10

[AndyWangMSFT]

Hi @JuergenAuer

I tested below code but it still could not remove the browser cookie.

just want to check with you if we should remove the browser cookie from server side or client side. Thank you for your guidance

options.Events.OnSigningOut = async context =>
                 {
                     // Delete the OIDC Nonce cookies
                     foreach (var cookie in context.HttpContext.Request.Cookies)
                     {
                         if (cookie.Key.StartsWith(".AspNetCore.OpenIdConnect.Nonce.") ||
                             cookie.Key.StartsWith(".AspNetCore.Correlation."))
                         {
                             var cookieOptions = new CookieOptions
                             {
                                 Expires = DateTimeOffset.Now.AddYears(-10),
                                 Path = "/signin-oidc",
                                 Domain = "url for our website",
                                 SameSite = SameSiteMode.None,
                                 Secure = true
                             };
                             context.HttpContext.Response.Cookies.Append(cookie.Key, "", cookieOptions);
                         }
                     }
                     await Task.CompletedTask;
                 };

[JuergenAuer]

Hi @AndyWangMSFT

just want to check with you if we should remove the browser cookie from server side or client side. Thank you for your guidance

client-side.

I don't understand why your code doesn't work. I'm running an old application (started 2006 with NET.2), updated NET.4..., now NET.8.

Users have an option "remain signed in" / Angemeldet bleiben, that creates a cookie, so I see (FireFox) 4 cookies.

Hitting "Logout", that cookie is removed and the session cookie is replaced.

Rechecked with Chrome, same. After a login, 4 cookies, hitting logout - 3 cookies.

PS: May be an empty value is a bad idea, use "-".

[AndyWangMSFT]

Hi @mkArtakMSFT
Thanks again for your reply. We are also running on .NET 8. But my code was the code from server side.
I'm only able to print out
.AspNetCore.Cookies and ai related cookies, But NOT the Nonce cookie and Correlation cookie:

in our startup.cs

            app.Use(async (context, next) =>
            {
                var logger = context.RequestServices.GetRequiredService<ILogger<Startup>>();
                foreach (var cookie in context.Request.Cookies)
                {
                    logger.LogInformation("Andy Custom middleware Deleting Cookie Key: {Key} Value: {Value}", cookie.Key, cookie.Value);
                    if (cookie.Key.StartsWith(".AspNetCore.OpenIdConnect.Nonce.") || cookie.Key.StartsWith(".AspNetCore.Correlation."))
                    {
                        var cookieOptions = new CookieOptions
                        {
                            Expires = DateTimeOffset.Now.AddYears(-10),
                            Path = "/signin-oidc",
                            Domain = "our website",
                            SameSite = SameSiteMode.None,
                            Secure = true
                        };
                        context.Response.Cookies.Append(cookie.Key, "", cookieOptions);
                    }
                }

                await next();
            });

if (cookie.Key.StartsWith(".AspNetCore.OpenIdConnect.Nonce.") || cookie.Key.StartsWith(".AspNetCore.Correlation."))

Also, do you mind sharing your code (from Client Side or Front end) about how to delete these nonce/correlation cookies? Appreciate!
Is there any security concern to remove those cookies from client-side? thank you so much for your guidance

[FrankyCTY]

Hi @JuergenAuer

I tested below code but it still could not remove the browser cookie.

just want to check with you if we should remove the browser cookie from server side or client side. Thank you for your guidance

options.Events.OnSigningOut = async context =>
                 {
                     // Delete the OIDC Nonce cookies
                     foreach (var cookie in context.HttpContext.Request.Cookies)
                     {
                         if (cookie.Key.StartsWith(".AspNetCore.OpenIdConnect.Nonce.") ||
                             cookie.Key.StartsWith(".AspNetCore.Correlation."))
                         {
                             var cookieOptions = new CookieOptions
                             {
                                 Expires = DateTimeOffset.Now.AddYears(-10),
                                 Path = "/signin-oidc",
                                 Domain = "url for our website",
                                 SameSite = SameSiteMode.None,
                                 Secure = true
                             };
                             context.HttpContext.Response.Cookies.Append(cookie.Key, "", cookieOptions);
                         }
                     }
                     await Task.CompletedTask;
                 };

Have you invoke context.HandleResponse() to short-circuit the middleware pipeline, otherwise the default behavior will execute after your custom logic, potentially overriding your changes to cookies e.g.

For reference, I use the matched cookie key, correct path, and DateTimeOffset.UnixEpoch to evict the cookie.

    private static void DeleteCookiesWithPrefix(HttpRequest request, HttpResponse response, string prefix)
    {
        foreach (var cookieKey in request.Cookies.Keys)
        {
            if (cookieKey.StartsWith(prefix, StringComparison.Ordinal))
            {
                response.Cookies.Append(cookieKey, "", new CookieOptions
                {
                    Expires = DateTimeOffset.UnixEpoch,
                    Path = "/signin-oidc",
                });
            }
        }
    }

[JuergenAuer]

Hi @FrankyCTY

context.HttpContext.Response.Cookies.Append(cookie.Key, "", cookieOptions);

send a value back, not an empty string. Use

context.HttpContext.Response.Cookies.Append(cookie.Key, "-", cookieOptions);

No cookie value - browser may ignore the cookie.

Have you invoke context.HandleResponse() to short-circuit the middleware pipeline

I don't really use that middleware-pipeline-model.

NET.Framework-Application: I have used two Classes: System.Web.IHttpHandler and and System.Web.UI.Page, derived own classes.

But used only IHttpHandler.ProcessRequest (one single call) and the System.Web.UI.Page.New / OnInit / Load / Render. A config file (web.config) with some definitions: Path starts with /css/ - use this class ...

The NET.8-System: A minimal API, only one mapping:

_wA.Map("/{**catchall}", Async Sub(catchall As String, hWebRequest As HttpRequest, HWebResponse As HttpResponse, context As HttpContext) Await route_Endpoints(hWebRequest, hWebResponse, context, _memCache, _wA) End Sub)

The "route_Endpoints" goes to another class with some To-Dos: Open a log file, do some spam-checks, do a pre-check (starts with /css/, starts with some other special names, ends with .html), then per type calling the "old functions" ProcessRequest or New/OnInit/Load/Render.

With this ideas, sending a cookie with a value and -10 years removes the client side stored cookie. Checked with FF and Chrome.