502 from AWS ELB when redirecting from callback (php/nginx)

  • Client > AWS ELB > PHP > PageX > determine that authentication needed > redirect to auth0/authorize…
  • Code is waiting at /callback endpoint…
  • Client redirected through ELB > PHP > /callback… code processes the callback by calling auth0-php exchange() method then redirect back to PageX.

The callback redirection causes the AWS ELB to return 502 to the client. Logging in the /callback indicates that everything is working as expected. I suspects that redirection has certain headers that AWS ELB deems to be invalid. Upon inspection, I’m just seeing a number of Set-Cookie: <cookieContent> + Location: <redirectURL> + Content-Type: */*; charset=UTF-8 + Content-Length: 0

Anyone has a work around for this?

Hi @hoangquanglam :wave: I can’t think of anything particularly unique about the headers the PHP SDK would be sending that would cause any issues for ELB. What version of the PHP SDK are you using?

@evansims, Auth0-PHP version 8.0.3. What I notice is that there are 21 of the Set-Cookie headers. I guess my credential has lots of data. Testing local stack everything flows through fine. Only when it’s on AWS stack that the ELB decided to return 502. idle time for ELB = 60 and nginx = 65, so it’s not because bad timing.

Could be related to the amount of headers there. There’s a bug (incidentally just brought to my attention today) where, currently, those headers aren’t getting queued up/batched properly. They should more or less all be getting written with just a couple of set-cookie headers, rather than dozens. I’ve got a bug fix for that landing in 8.0.5 next week. Although I wouldn’t expect that would be an issue for ELB, it’s certainly plausible. I’ll give you a ping here when 8.0.5 drops with that bugfix so you can see if that resolves things for you


Thanks for following up on that Evan!

1 Like

@evansims, hope you had a nice holiday. Is there any update on the the reducing of the number of set-cookie headers for Auth0-PHP? Thanks.

Hey @hoangquanglam, sorry for the delay, I forgot going into the holidays we weren’t allowing any SDK releases until after the holidays. I’ll try to get that out yet this week.


Thanks @evansims . My AWS support confirms that it’s due to header size limitation. The ALB has header size limits:

  • 16KB per request line - 16KB per single header - 64KB for the entire header

Hope this provide some more insight into your upcoming fix. As a side question, is there a way to ask for less (cookie) data when authenticating?

Some further investigation yields:

It seems that there are multiple (3 in my test case) Set-Cookie for the same cookie name, each with different content. There is one other Set-Cookie a different cookie name.

Not sure if this helps.

Hey @hoangquanglam :wave: Thanks for your patience! Can you give the freshly released 8.0.5 a try and see if it helps reduce your cookie header payload issues?

1 Like

@evansims , 8.0.5 did fix the ELB 502 issue. Thanks for the support. It’s been a head scratcher. Good day!

Glad we could get it sorted for you! No trouble at all, thanks for your patience through the holidays on it

1 Like

Teamwork makes the dreamwork!