400 from AWS ELB when redirecting from callback (php/nginx)

auth0-php 8.0.5

We previously had a similar issue when AWS ELB returns 502 when the header is malformed (for auth0-php 8.0.3). This issue has been addressed in 8.0.5 and it has been working for Chrome and Firefox.
However, we have one legacy application that utilizes IE11 and we found that the cookie header is exceeding 16k, a limitation that AWS ELB would catch and raise http 400.

Is there a way fix this from auth0-php so that it would be meeting this requirement:

  • The request header exceeded 16K per request line, 16K per single header, or 64K for the entire header.

Thank you

I have the har file from IE11, if needed for the research.

@evansims? one more?

Hi @hoangquanglam :wave: Apologies for the delay. That’s interesting, I’ve not seen that issue reported before. I’m surprised you’re hitting that sizeable a payload in your token response.

As the cookies simply store the data necessary to accurately reflect the state of the user, their id token content, and so on, I don’t have a great solution for you without changing up the storage medium .

You could try changing out the session storage medium from cookies to sessions by assigning the sessionStorage to a custom Auth0\SDK\Store\SessionStore instance during SDK configuration. This stores the user data server-side instead of client-side, and just relies on a PHP-native session assignment on the client-side to tie it together.

1 Like

Will try that. Thanks @evansims

Hi @evansims, just a line to let you know that switching to SessionStorage is working great and it overcomes the IE11/ALB issue. I wonder if we should have SessionStorage as the default for auth0-php. While defaulting to CookieStorage is optimal for other type of implementation, but for PHP, it might be best to avoid passing large cookies back and forth. Have a nice day!