The above Discourse cookie string is 1,962 characters long!
For comparison, the cookie header sent to my Mediawiki site is 122 characters long, including my username, user id, and session id.
The Mediawiki session id is 32 characters long, but Discourse appears to have two session ids: rack.session is 813 characters long and _forum_session is 1,075 characters long. Please help me to understand why a simple uid needs to be so long. Can I configure Discourse to use a shorter session uid? Does such a request make sense?
What is stored in that string? Is it possible to make it smaller?
Specifically, what component of the Discourse software is rack.session used for? And what is _forum_session used for?
Of course I can just bump up the nginx config limits, but I’d like to keep them reasonably low unless there’s a strong requirement to increase them.
I support auditing our session cookies and maybe just moving to default use our redis backed session that auto expires which is better anyway. @david any thoughts here?
Depends, plugins that use session heavily can be impacted, its also a hygiene thing, nicer to keep all this secret info on the server instead of encrypted on the client.
Yikes, this tuning was done intentionally for security; it’s not a “badly configured” proxy. Tuning down the following nginx directives is commonly done as part of hardening nginx (to address availability, rate limiting, DOS, etc):
The settings we use in our nginx config work fine on all our existing sites. The problem here appears to be that Discourse stores unnecessary client data in the cookie, where imho the only thing stored in the cookie should be just a few unique identifiers that the server can use to access that data server-side.
Thanks Sam. By “moving to default use redis” are you suggesting that it’s currently possible to move the data stored in the session cookie to redis with a configuration change? Or would moving this data out of the session cookie to the server necessarily require a code change?
Note: I’ve also had to override my hardened nginx config’s large_client_header_buffers directive to get Discourse working.
Specifically, I use large_client_header_buffers 2 1k for all my other sites’ nginx configs. But this causes a 414 Request-URI Too Large error from /admin/reports/bulk?XYZ – where XYZ is actually 1,019 characters long!
This was fixed by setting large_client_header_buffers 4 8k; in my Discourse nginx config’s server{} block, which overrides the global directive and restores the directive to its default value for Discourse
For better interoperability of Discourse installs through popular hardened web servers, network firewalls, and web application firewalls, I urge the Discourse developers to consider using POST for such long query strings.
For someone who is not a backend engineer, what is the fix for this?
We are getting a lot of reports of this error over the past month on the Webflow forum. Recommending a visitor clear their cookies/cache or use incognito mode has worked but not ideal.
Any advice on fixing this for our instance of Discourse would be much appreciated.
Can you link an example? This problem in OP is about self-hosting Discourse, so I do not follow how can it affect a hosted instance like the one you linked.