2

I have an Apache server which gets a malformed HTTP Request (cookie size is very big). The server displays the Cookie value along with Bad Request. Is there a way to handle this?

I tried ErrorDocument directive, but that is not helping in this case.

thefourtheye
  • 233,700
  • 52
  • 457
  • 497
  • What is very big ? Cookie Values have an upper limit – fyr Feb 07 '12 at 13:39
  • Yes... Thats why I call it a malformed HTTP request.. The HTTP Request has been manually tweaked... When the HTTP request hits the server, it actually throws a 400 Response Code along with a page which displays the actual cookie content... – thefourtheye Feb 07 '12 at 13:41

1 Answers1

1

Look at this page it will explain it in detail. And it will also show you the exact same problem as you describe:

Example with explanation: http://stevesouders.com/tests/cookie-max.php

If you want to have custom error handling 

ErrorDocument 400

should do the job if configured correctly in the .htaccess file. You might also configure it directly in httpd.conf (see.: https://serverfault.com/questions/158122/problems-redirecting-error-400-bad-request-to-custom-page).

Despite the possibility to fix this with this configuration option you should consider to do the following based on the reason why the error occured:

  • This error occures while using your site regularly - Fix your code this should never happen and cookies should never exceed 4k in total
  • This may not occure while using your site regularly - Fix nothing. Never invest time in nice-looking-pages which will only be seen by ppl who try to exploit things somehow
Community
  • 1
  • 1
fyr
  • 20,227
  • 7
  • 37
  • 53
  • Correct... This is exactly what my problem is... But I dont want Apache to throw that "Request Error (invalid_request)" page. I want to handle it myself... Is it possible? – thefourtheye Feb 07 '12 at 13:49
  • Via ErrorDocument it should be possible. However you probably need to have some sort of script to remove the Cookie. The thing is normally this should not happen. – fyr Feb 07 '12 at 13:51
  • Quoting from http://httpd.apache.org/docs/2.0/mod/core.html#errordocument “Although most error messages can be overridden, there are certain circumstances where the internal messages are used regardless of the setting of ‘ErrorDocument’. In particular, if a malformed request is detected, normal request processing will be immediately halted and the internal error message returned. This is necessary to guard against security problems caused by bad requests.” This rules out ErrorDocument, I guess... – thefourtheye Feb 07 '12 at 14:01
  • I really like to get this one fixed... :) – thefourtheye Feb 07 '12 at 14:03
  • The thing is as stated above: if this happens regularly you should fix your page source. Because you use the HTTP protocol outside of its specification. ErrorDocument should be possible via `.htaccess` – fyr Feb 07 '12 at 14:07