Error "400 Bad Request - Request Header Or Cookie Too Large" in ASP.NET MVC Application with AzureAD Authentication

Lydia 0 Reputation points
2025-02-03T19:12:59.04+00:00

Hello,

We are experiencing an issue with our ASP.NET MVC application that involves multiple iframes. Each iframe embeds the same application, which may be hosted on different domains. Authentication within each iframe is performed using AzureAD.

When the iframes are loaded, some of them encounter the error "400 Bad Request - Request Header Or Cookie Too Large" during requests to the path "/signin-oidc". This issue appears to be related to the cookies .AspNetCore.OpenIdConnect.Nonce and .AspNetCore.Correlation.AzureADOpenID, which are sent multiple times in the request headers.

I have attached an image to demonstrate this behavior.

Could you please provide an explanation for why this issue occurs and suggest potential solutions to handle this situation?

Thank you for your assistance.AspNetCoreCookies

Developer technologies | ASP.NET | ASP.NET Core
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

2 answers

Sort by: Most helpful
  1. Bruce (SqlWork.com) 77,926 Reputation points Volunteer Moderator
    2025-02-04T16:09:11.36+00:00

    This is typically caused by the user having too many role claims that makes the token too large to stored in a cookie. You are probably mapping all roles, you will need to refine the mapping.


  2. AgaveJoe 30,126 Reputation points
    2025-02-12T13:06:55.63+00:00

    We have already attempted to include only the necessary roles in the token, but we are still encountering the same error. Do you have any suggestions?

    If I understand correctly, you've verified the problem is with the cookie size. After trimming claims to only the necessary roles the authentication cookie is still too large. If this is true and not a bug in the logic then you can't store the claims in a cookie. Store the claim in somewhere else that the application can get to like a database or cache.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.