Hitting max authorized valid state cookies

Hi All,

For those of you using mod_auth_openidc for OOD behind keycloak (or other IDP/Broker), have you run into users bumping into the max of 7 valid state cookies? This would come in the form of a 400 Bad Request or 503 error code.

You would see this in your httpd error logs:

[Tue Jan 14 08:39:54.515213 2020] [auth_openidc:warn] [pid 11985] [client IPADDRESS:54521] oidc_authorization_request_set_cookie: the number of existing, valid state cookies (8) has exceeded the limit (7), no additional authorization request + state cookie can be generated, aborting the request, referer: https://OOD_URL/node/NODE_NAME.inband/4636/lab?

There was an addition to mod_auth_openidc for a setting called OIDCStateMaxNumberOfCookies, see https://github.com/zmartzone/mod_auth_openidc/issues/331 and also: https://github.com/zmartzone/mod_auth_openidc/issues/399

This addition allows more control of how mod_auth_openidc handles the cookies.

I have set this to: OIDCStateMaxNumberOfCookies 10 true for now.

Has anyone else bumped into this? Have suggestions? Is my setting logical?

Thanks,
Morgan

@tdockendorf can you let us know what our OIDCStateMaxNumberOfCookies setting is (if we’ve set it)?

@mjbludwig It’s probably a reasonable setting. It’s probable that you want to increase in very small amounts, by 1s or 2s. And only when you need to, but I’m guessing Trey knows more about it than I do.

We use the default for that setting.

Thank you @tdockendorf and @jeff.ohrstrom as usual!

makes note of what mludwig account to post from…

Thanks for sharing this! We ended up having to set this also. 10 seems to be a fair number, although we believe the actual solution is setting the true flag at the end so oldest cookies get removed.

OIDCStateMaxNumberOfCookies 10 true