Skip to main content


 

Symptoms


Our platform is using a Web Application Firewall which is dropping the headers larger than 8kb.
Unfortunately the FedAuth cookie used by SharePoint using SmartForms get larger than 8kb hence the Firewall is blocking the requests to SmartForms server.
Below some additional details:

The Web Application Firewall is Akamai (Kona SiteDefender) which is based on TomCat and is dropping the HTTP headers>8kb and filtering packets with an overall HTTP headers payload>16kb. There are other firewalls in the stack (F5, CheckPoint) but so far they are accepting all of the packets
We are noticing that the FedAuth cookie size blowup when we have a SharePoint 2013 App using a SmartForm, below what our developers are stating:
1) On K2 domain, we will have a different session security token. The amount of cookie info inside the token will be sizably different if we either access the /Runtime path or the /Designer path.
2) Logging in K2 Designer, additional information is loaded on cookies
3) I’m unable to decode FedAuth cookie enriched by SmartForms so I suspect K2 is encrypting the security information

There are several approaches that might be applied to decrease the FedAuth cookie size (e.g. http://www.cloudidentity.com/blog/2010/05/26/your-fedauth-cookies-on-a-diet-issessionmode-true/) but since we noticed some specific K2 HTTP Handlers and configurations we would like to verify with you a recommended approach since in the long term our customer is moving to a full claim architecture with a strict segregation of roles meaning an important amount of claims to be brought by FedAuth. We can sacrifice/drop encryption in favour of a smaller cookie.
 

Diagnoses


There is a coldfix available to reduce FedAuth cookie size in K2
 

Resolution

The ticket was linked with TFS item 508339 and the coldfix was issued that reduced the size of the FedAuth cookie to less than 8kb which in turn resolved the firewall issue.

The fix is essentially that new instances will not have the EventHandler hooked, so that makes the FedAuth Cookies smaller.




 
Be the first to reply!

Reply