Size of the request headers is too long

Question

I'm currently working on an ASP.NET MVC website and it works fine.

But I have a problem that I don't understand at all... When I launch my website on Visual Studio with Chrome for example no problem, but when I stop it and try to launch an other test with Firefox for example, my url is growing and then I get this error :

HTTP 400. The size of the request headers is too long.

Can someone explain me why this is happening ? Is it something with my code or does it come from IIS express or anything else ?

Thanks in advance

Possible duplicate of [Bad Request - Request Too Long HTTP Error 400. The size of the request headers is too long](http://stackoverflow.com/questions/14778910/bad-request-request-too-long-http-error-400-the-size-of-the-request-headers-i) — CodeCaster, May 09 '16 at 09:41
Use your browser's debugging tools or a proxy like Fiddler to see what is actually going on. From there, you can do more research. With the given information, we can't do anything but guess. See for example [Bad Request - Request Too Long HTTP Error 400. The size of the request headers is too long](http://stackoverflow.com/questions/14778910/bad-request-request-too-long-http-error-400-the-size-of-the-request-headers-i). — CodeCaster, May 09 '16 at 09:42
seems like same issue [Link](http://stackoverflow.com/questions/14778910/bad-request-request-too-long-http-error-400-the-size-of-the-request-headers-i) — Rahul R G, May 09 '16 at 09:46
Thank you guys but I already saw this post but it's only a problem about having too much cookies ? Nothing else can cause that ? — MrPixel6, May 09 '16 at 10:11
You need to get into your debugger in firefox and see if you can figure out what is causing the URL to bloat. — Paddy, Aug 11 '21 at 08:22

cederlof · Answer 1 · 2018-11-22T07:49:04.333

You can probably increase the size of requests your webserver will allow. However, take a look at the amount and the size of cookies your browser are sending to the server. Clear your cookies and try again, and see if you can reduce the size and amount of cookies your app is using. The less, the better! Mobile browsers can get these errors, as they don't allow the same size as do desktop browsers(?).

The error can also mean the query string is getting too large.

score 10 · Answer 2 · answered May 09 '16 at 09:45

Check the MSDN:

Cause

This issue may occur when the user is a member of many Active Directory user groups. When a user is a member of a large number of active directory groups the Kerberos authentication token for the user increases in size. The HTTP request that the user sends to the IIS server contains the Kerberos token in the WWW-Authenticate header, and the header size increases as the number of groups goes up. If the HTTP header or packet size increases past the limits configured in IIS, IIS may reject the request and send this error as the response.

Resolution

To work around this problem, choose one of the following options:

A) Decrease the number of Active Directory groups that the user is a member of.

OR

B) Modify the MaxFieldLength and the MaxRequestBytes registry settings on the IIS server so the user's request headers are not considered too long. To determine the appropriate settings for the MaxFieldLength and the MaxRequestBytes registry entries, use the following calculations:

Calculate the size of the user's Kerberos token using the formula described in the following article:

New resolution for problems with Kerberos authentication when users belong to many groups http://support.microsoft.com/kb/327825

Configure the MaxFieldLength and the MaxRequestBytes registry keys on the IIS server with a value of 4/3 * T, where T is the user's token size, in bytes. HTTP encodes the Kerberos token using base64 encoding and therefore replaces every 3 bytes in the token with 4 base64 encoded bytes. Changes that are made to the registry will not take effect until you restart the HTTP service. Additionally, you may have to restart any related IIS services.

That is one very specific cause and fix of this error, namely _"This issue may occur when the user is a member of many Active Directory user groups"_. The OP has not confirmed this is the case. — CodeCaster, May 09 '16 at 09:50
See also [Do web.config header size limits override http.sys limits in the registry?](//stackoverflow.com/q/35749180) — Michael Freidgeim, Apr 16 '17 at 12:53
Despite whether this was the problem for the OP's specific instance of this error, it was the problem for my instance and therefore very helpful. Thank you. — briantist, Jul 21 '17 at 15:49
is above answer applicable when application uses Forms authentication ? — Sagar, Dec 10 '21 at 07:43
We ran into this issue using an SSO that passed through all of the AD groups for a user. We then use these groups to determine security, and the SSO did not have a way to limit the groups passed, so this was the best solution for us. — Mike, Jun 01 '23 at 14:10
One other thing we added from the article: If MaxFieldLength is set to its maximum value of 64 KB, the MaxTokenSize registry value should be set to 3/4 * 64 = 48 KB. — Mike, Jun 01 '23 at 14:10

score 10 · Answer 3 · answered Jan 07 '19 at 17:23

.NET MVC SOLUTION FOR ME In my case, it was my claims that was multiplying my session cookies to look as below in my browser cookies:

.AspNet.ApplicationCookie
.AspNet.ApplicationCookieC1
.AspNet.ApplicationCookieC2
.AspNet.ApplicationCookieC3
.AspNet.ApplicationCookieC4
.AspNet.ApplicationCookieC5
.AspNet.ApplicationCookieC6
.AspNet.ApplicationCookieC7
__RequestVerificationToken

I simply went to aspNetUserClaims table in my mssql management studio and cleared it. Then cleared the browser cookie for the project.

Refreshed the page. Kalas!!! Done!! I believe it happened because I was switching from one database connectionstring to another which caused the claimsManager to recreate session and add to my cookie. On saturation, everyting exploded.

score 8 · Answer 4 · edited Jun 11 '17 at 10:03

8

try this

<system.web>
        <httpRuntime maxRequestLength="2097151" executionTimeout="2097151" />
</system.web>

The maxRequestLength default size is 4096 KB (4 MB).

if browser request some resource again and again , at some time request header value length increase by number of times so we may try to extend request length to max length. i hope this may usefull

edited Jun 11 '17 at 10:03

Michael Freidgeim

26,542
16
152
170

answered Jul 04 '16 at 12:54

Sanjay Radadiya

1,254
15
22

1

Although this code may be help to solve the problem, providing additional context regarding _why_ and/or _how_ it answers the question would significantly improve its long-term value. Please [edit] your answer to add some explanation. – Toby Speight Jul 04 '16 at 16:45
2

The maxRequestLength default is 4 MB- quite large to be limitation for such error. – Michael Freidgeim Jun 11 '17 at 10:06
I would say you have another problem if you need to increase maxRequestLength. – cederlof Oct 10 '18 at 06:41
@cederlof can you describe in detail here – Sanjay Radadiya Oct 10 '18 at 16:18
I would agree - this masks the problem rather than finding a real solution to the issue. Permitting these very large requests to your server opens you up to other denial of service type issues. – Paddy Aug 11 '21 at 08:21

chaosifier · Answer 5 · 2021-11-23T05:38:51.730

In windows system generally this error occurs due to the default header size limits set in the http.sys service. This service acts as a protective layer before requests are forwarded to the application to prevent it from being overwhelmed by invalid requests.

You can override the default max header limit by modifying the windows registry.

Follow the steps :

Run regedit
From the address bar go to the address : Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters or drill down manually.
Right click on "Parameters" > New > DWORD
Rename the new entry to MaxFieldLength
Right click the newly created MaxFieldLength, modify it and set the value to desired max individual header size in bytes, make sure base is set to decimal.
Do the same for MaxRequestBytes. Make it sufficiently higher to match value set in MaxFieldLength.
Open command prompt as administrator
Enter the command "net stop http" (make sure visual studio or other interfering programs are closed)
Enter the command "net start http"

Resources:

I do not see MaxFieldLength in Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters path do I need CREAET a new one ? — Sagar, Dec 10 '21 at 07:40

score 2 · Answer 6 · answered Aug 14 '20 at 00:05

2

In my case, I had cookies from a number of different apps served on my localhost with large cookies. FF differentiates by host-name so clearing my cookies from localhost fixed it.

answered Aug 14 '20 at 00:05

ataboo

797
1
8
16

score 0 · Answer 7 · answered Sep 07 '22 at 15:15

0

Following Ifeanyi Chukwu's answer, for my case, I tried with private mode (Incognito) and it works fine. Then I go to browser settings and delete cookies of my site (localhost). That fixes the issue.

answered Sep 07 '22 at 15:15

Anh Bui

31
3

score 0 · Answer 8 · answered Jan 20 '23 at 05:46

0

As you may already figured out issue, a simple temporary solution would be to switch your browser while debugging.

answered Jan 20 '23 at 05:46

Pavan S

11
2

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jan 22 '23 at 10:25

Size of the request headers is too long

8 Answers8

Linked