20

I'm currently working on an ASP.NET MVC website and it works fine.

But I have a problem that I don't understand at all... When I launch my website on Visual Studio with Chrome for example no problem, but when I stop it and try to launch an other test with Firefox for example, my url is growing and then I get this error :

HTTP 400. The size of the request headers is too long.

Can someone explain me why this is happening ? Is it something with my code or does it come from IIS express or anything else ?

Thanks in advance

MrPixel6
  • 337
  • 1
  • 4
  • 17
  • 3
    Possible duplicate of [Bad Request - Request Too Long HTTP Error 400. The size of the request headers is too long](http://stackoverflow.com/questions/14778910/bad-request-request-too-long-http-error-400-the-size-of-the-request-headers-i) – CodeCaster May 09 '16 at 09:41
  • May you show us http request this return the response? – Mediator May 09 '16 at 09:41
  • Use your browser's debugging tools or a proxy like Fiddler to see what is actually going on. From there, you can do more research. With the given information, we can't do anything but guess. See for example [Bad Request - Request Too Long HTTP Error 400. The size of the request headers is too long](http://stackoverflow.com/questions/14778910/bad-request-request-too-long-http-error-400-the-size-of-the-request-headers-i). – CodeCaster May 09 '16 at 09:42
  • seems like same issue [Link](http://stackoverflow.com/questions/14778910/bad-request-request-too-long-http-error-400-the-size-of-the-request-headers-i) – Rahul R G May 09 '16 at 09:46
  • Thank you guys but I already saw this post but it's only a problem about having too much cookies ? Nothing else can cause that ? – MrPixel6 May 09 '16 at 10:11
  • You need to get into your debugger in firefox and see if you can figure out what is causing the URL to bloat. – Paddy Aug 11 '21 at 08:22

6 Answers6

11

You can probably increase the size of requests your webserver will allow. However, take a look at the amount and the size of cookies your browser are sending to the server. Clear your cookies and try again, and see if you can reduce the size and amount of cookies your app is using. The less, the better! Mobile browsers can get these errors, as they don't allow the same size as do desktop browsers(?).

The error can also mean the query string is getting too large.

cederlof
  • 6,901
  • 4
  • 42
  • 61
8

Check the MSDN:

Cause

This issue may occur when the user is a member of many Active Directory user groups. When a user is a member of a large number of active directory groups the Kerberos authentication token for the user increases in size. The HTTP request that the user sends to the IIS server contains the Kerberos token in the WWW-Authenticate header, and the header size increases as the number of groups goes up. If the HTTP header or packet size increases past the limits configured in IIS, IIS may reject the request and send this error as the response.

Resolution

To work around this problem, choose one of the following options:

A) Decrease the number of Active Directory groups that the user is a member of.

OR

B) Modify the MaxFieldLength and the MaxRequestBytes registry settings on the IIS server so the user's request headers are not considered too long. To determine the appropriate settings for the MaxFieldLength and the MaxRequestBytes registry entries, use the following calculations:

  1. Calculate the size of the user's Kerberos token using the formula described in the following article:

    New resolution for problems with Kerberos authentication when users belong to many groups http://support.microsoft.com/kb/327825

  2. Configure the MaxFieldLength and the MaxRequestBytes registry keys on the IIS server with a value of 4/3 * T, where T is the user's token size, in bytes. HTTP encodes the Kerberos token using base64 encoding and therefore replaces every 3 bytes in the token with 4 base64 encoded bytes. Changes that are made to the registry will not take effect until you restart the HTTP service. Additionally, you may have to restart any related IIS services.

Rahul Tripathi
  • 161,154
  • 30
  • 262
  • 319
  • 6
    That is one very specific cause and fix of this error, namely _"This issue may occur when the user is a member of many Active Directory user groups"_. The OP has not confirmed this is the case. – CodeCaster May 09 '16 at 09:50
  • 1
    See also [Do web.config header size limits override http.sys limits in the registry?](//stackoverflow.com/q/35749180) – Michael Freidgeim Apr 16 '17 at 12:53
  • 1
    Despite whether this was the problem for the OP's specific instance of this error, it was the problem for my instance and therefore very helpful. Thank you. – briantist Jul 21 '17 at 15:49
  • Would this work if the site is hosted in IIS Express? – Ε Г И І И О Sep 19 '19 at 04:33
  • is above answer applicable when application uses Forms authentication ? – Sagar Dec 10 '21 at 07:43
7

try this

<system.web>
        <httpRuntime maxRequestLength="2097151" executionTimeout="2097151" />
</system.web>

The maxRequestLength default size is 4096 KB (4 MB).

if browser request some resource again and again , at some time request header value length increase by number of times so we may try to extend request length to max length. i hope this may usefull

Michael Freidgeim
  • 23,917
  • 16
  • 136
  • 163
Sanjay Radadiya
  • 1,184
  • 14
  • 22
  • 1
    Although this code may be help to solve the problem, providing additional context regarding _why_ and/or _how_ it answers the question would significantly improve its long-term value. Please [edit] your answer to add some explanation. – Toby Speight Jul 04 '16 at 16:45
  • 2
    The maxRequestLength default is 4 MB- quite large to be limitation for such error. – Michael Freidgeim Jun 11 '17 at 10:06
  • I would say you have another problem if you need to increase maxRequestLength. – cederlof Oct 10 '18 at 06:41
  • @cederlof can you describe in detail here – Sanjay Radadiya Oct 10 '18 at 16:18
  • I would agree - this masks the problem rather than finding a real solution to the issue. Permitting these very large requests to your server opens you up to other denial of service type issues. – Paddy Aug 11 '21 at 08:21
7

.NET MVC SOLUTION FOR ME In my case, it was my claims that was multiplying my session cookies to look as below in my browser cookies:

.AspNet.ApplicationCookie
.AspNet.ApplicationCookieC1
.AspNet.ApplicationCookieC2
.AspNet.ApplicationCookieC3
.AspNet.ApplicationCookieC4
.AspNet.ApplicationCookieC5
.AspNet.ApplicationCookieC6
.AspNet.ApplicationCookieC7
__RequestVerificationToken

I simply went to aspNetUserClaims table in my mssql management studio and cleared it. Then cleared the browser cookie for the project.

Refreshed the page. Kalas!!! Done!! I believe it happened because I was switching from one database connectionstring to another which caused the claimsManager to recreate session and add to my cookie. On saturation, everyting exploded.

Ifeanyi Chukwu
  • 2,951
  • 2
  • 27
  • 28
2

In my case, I had cookies from a number of different apps served on my localhost with large cookies. FF differentiates by host-name so clearing my cookies from localhost fixed it.

ataboo
  • 737
  • 1
  • 8
  • 15
1

In windows system generally this error occurs due to the default header size limits set in the http.sys service. This service acts as a protective layer before requests are forwarded to the application to prevent it from being overwhelmed by invalid requests.

You can override the default max header limit by modifying the windows registry.

Follow the steps :

  • Run regedit
  • From the address bar go to the address : Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters or drill down manually.
  • Right click on "Parameters" > New > DWORD
  • Rename the new entry to MaxFieldLength
  • Right click the newly created MaxFieldLength, modify it and set the value to desired max individual header size in bytes, make sure base is set to decimal.
  • Do the same for MaxRequestBytes. Make it sufficiently higher to match value set in MaxFieldLength.
  • Open command prompt as administrator
  • Enter the command "net stop http" (make sure visual studio or other interfering programs are closed)
  • Enter the command "net start http"

Resources:

chaosifier
  • 2,287
  • 21
  • 37