mod_auth_openidc_state cookies increasing rapidly

[wint00]

I'm using a single OpenIDC server to connect to a load balanced backend nodejs app using ROUTEID for session affinity. This works for some time but then at times (don't know what triggers it) I get tons of cookies like this: mod_auth_openidc_state_1wxkjdkjsfksd. This eventually leads to the user being denied access to the site due to 'Size of request header field exceeds limit'. I have set the limit really high (32KB) but I still get it. Any ideas how I can fix the issue? I'm on Ubuntu 15.10 and apache 2.4 w/ mod_auth_openidc 1.6.0

Here is my config:

<VirtualHost *:80>
   ServerName foo.bar.com
   Redirect permanent / https://foo.bar.com/
</VirtualHost>

<VirtualHost _default_:443>
   ServerName foo.bar.com
   ServerAdmin ops@bar.co
   DocumentRoot /var/www/html
   Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
   Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
   SetEnvIf Origin "^(.*\.bar\.co)$" ORIGIN_SUB_DOMAIN=$1
   Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
   Header unset Content-Security-Policy
   Header always set Access-Control-Allow-Credentials "true"
   RequestHeader set X-Forwarded-Proto "https"
   LimitRequestFieldSize 9999999

   SSLEngine on
   SSLCertificateFile /etc/apache2/ssl/private/bar.crt
   SSLCertificateChainFile /etc/apache2/ssl/private/intermediate.crt
   SSLCertificateKeyFile /etc/apache2/ssl/private/bar.key
   SSLProtocol             TLSv1.1 TLSv1.2
   SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
   SSLHonorCipherOrder     on
   SSLCompression          off
   RequestHeader set x-bar-proxy-secret "xxxxxxxxxxxxxxx"

   OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
   OIDCClientID xxxxxxxxxxxxxxx.apps.googleusercontent.com
   OIDCClientSecret xxxxxxxxxxxxxxx

   OIDCScope "openid email profile"
   OIDCRedirectURI https://foo.bar.com/oauth2callback
   OIDCCryptoPassphrase xxxxxxxxxxxxxxx

   OIDCSessionInactivityTimeout 86400

   OIDCCookiePath /

   OIDCAuthRequestParams hd=bar.co
   OIDCRemoteUserClaim email
   OIDCAuthNHeader X-Forwarded-User

   LogLevel info


   <Proxy balancer://http-foo>
      BalancerMember http://bar-app-00.c.bar-prod.internal:1080 route=1
      BalancerMember http://bar-app-01.c.bar-prod.internal:1080 route=2
      BalancerMember http://bar-app-02.c.bar-prod.internal:1080 route=3
      BalancerMember http://bar-app-03.c.bar-prod.internal:1080 route=4

      ProxySet lbmethod=byrequests
      ProxySet stickysession=ROUTEID
   </Proxy>

   <Proxy balancer://ws-foo>
      BalancerMember ws://bar-app-00.c.bar-prod.internal:1080 route=1
      BalancerMember ws://bar-app-01.c.bar-prod.internal:1080 route=2
      BalancerMember ws://bar-app-02.c.bar-prod.internal:1080 route=3
      BalancerMember ws://bar-app-03.c.bar-prod.internal:1080 route=4

      ProxySet lbmethod=byrequests
      ProxySet stickysession=ROUTEID
   </Proxy>


   RewriteEngine On
   RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
   RewriteCond %{QUERY_STRING} transport=websocket    [NC]
   RewriteRule /(.*) balancer://ws-foo/$1 [P,L]

   ProxyPreserveHost on
   ProxyPass / balancer://http-foo/
   ProxyPassReverse / balancer://http-foo/
   ProxyPass /socket.io/ balancer://ws-foo/socket.io/
   ProxyPassReverse /socket.io/ balancer://ws-foo/socket.io/

   ProxyRequests     Off
   AllowEncodedSlashes NoDecode

      <Location />
         AuthType openid-connect
         Require ip xx.xx.xx.xx
         Require claim hd:bar.co
         Require valid-user
      </Location>

</VirtualHost>

[zandbelt]

You have to look in to your client code: apparently it fires a a large number of (possibly parallel) unauthenticated requests to your protected site. It would be better to first authenticate the user before doing those requests.

[zandbelt]

And that all apparently happens after the session times out. It may be worth looking in to the OIDCSessionInactivityTimeout and OIDCSessionMaxDuration settings.

[zandbelt]

any update on this? related to this is #113 where we're testing some improvements; if no further update I'll close this ticket

[wint00]

For me at least, OIDCUnAuthAction was what was needed to make this work. Thank you.

[zandbelt]

ok, so that was a matter of a large number of unauthenticated requests to an endpoint that was protected with OpenID Connect which shouldn't have been configured in that way, thanks

[zandbelt]

more info here: https://github.com/pingidentity/mod_auth_openidc/wiki/Cookies