We are experiencing intermittent “Bad Request” errors with our Open OnDemand 4.0 setup, which uses SAML authentication via mod_auth_mellon.
Users are randomly redirected to the [servername]/mellon/postResponse URL with the error message: “Your browser sent a request that this server could not understand.”
After removing the cookies it works again. Also, it seems that it happens more frequently using one specific alias from the server.
We are seeking guidance on further debugging steps or potential fixes for this issue. Any insights or similar experiences would be greatly appreciated.
Could you check your /var/log/httpd/ file for the error - more information about why it’s a bad request should be there.
Also, I did some digging and found we have seen a similar issue before, and there’s a topic on it in Discourse. In short, you can decrease oidc_state_max_number_of_cookies (read about that here) to significantly reduce the prevalence of this error. There is also another user at the end of this thread who found a solution by configuring the header field size limit in Apache and creating a file for nginx - we haven’t tested this solution ourselves however.
I checked the /var/log/httpd/ file and found the following errors:
[Mon Feb 24 16:28:33.476594 2025] [auth_mellon:warn] [pid 2491182:tid 2491356] [client 172.25.66.22:52501] User has disabled cookies, or has lost the cookie before returning from the SAML2 login server.
[Mon Feb 24 16:30:11.096415 2025] [auth_mellon:error] [pid 2502032:tid 2502123] [client 172.25.66.22:52579] Untrusted hostname in redirect URL: https://example.com/pun/sys/dashboard
[Mon Feb 24 16:30:11.096439 2025] [auth_mellon:error] [pid 2502032:tid 2502123] [client 172.25.66.22:52579] Invalid target domain in logout response RelayState parameter.
Regarding the oidc_state_max_number_of_cookies parameter, it appears to be related to OpenID, while we are using auth_mellon. Therefore, this solution might not be applicable to our setup.
I appreciate the suggestion about configuring the header field size limit in Apache and creating a file for nginx. Although we haven’t tested this solution ourselves, it might be worth exploring further.