Fixed Unbounded inlinemod cookie size


Well-known member
Affected version
The inlinemod cookies, such as xf_inlinemod_conversations, currently have an unbounded size. Cookies aren't really supposed to be > 4 KiB, but it's not too difficult for an end user to end up with a cookie far larger than that just by selecting several pages of conversations for deletion. From that point forward, they're likely to run into 400 errors such as the following:

400 Bad Request​

Request Header Or Cookie Too Large

If you take a look at the bottom, that isn't coming from my server; it's coming from Cloudflare, so it isn't something that I can configure. This wouldn't be a huge issue if it could only be encountered by staff, but since users have access to inlinemod functionality in conversations, it poses a problem. They're not likely to realize they need to clear their cookies to continue using the site.
I think there's something in this, but I'm not entirely sure of the circumstances which lead to this 400 cookie too large error.

We proxy through CloudFlare here and as you can see I'm still plodding along nicely with these cookies:


One of these was artificially doubled in size, the other took a fair amount of clicking.

The behaviour observed when it hits ~4096 bytes and you try to add more to that cookie is that the requests complete successfully without issue, but the cookie remains unmodified. It does lead to a situation where the UI indicates that the item is selected but it actually isn't because the cookie can no longer be increased in size.

This, at least, is the behaviour exhibited by Chrome on macOS. But according to RFC 6265 4096 bytes is the minimum size that should be supported per cookie. i.e. no user agent should impose a limit below 4096 bytes per cookie.

It might be useful to understand the circumstances which led to this bad request. Are there actually server limits in place? Or a particular config in CloudFlare? Do we know which browser was being used to generate the cookie(s), and what size was it when this triggered?

For now, if we can, I think setting a per-inline mod cookie limit of somewhere between 3KB and 3.5KB is probably reasonable, with a notice displayed once the limit is hit. But it would be good to make sure that's sufficient to prevent this particular case so please let us know :)
Nginx--and, by extension, Cloudflare--can get cranky when request headers are too large. It looks at the overall size of the headers, not any single header or any single cookie. That means the issue can be compounded by the use of a product like Cloudflare Access, as was likely the case here. Furthermore, if there are multiple large XenForo headers, that could probably push it over the limit all on its own--it's a matter of all cookies being taken collectively along with all the other headers, not a single cookie.

I don't remember the exact circumstances, but I would've tested it with multiple browsers and configurations before reporting it. That likely would've included the latest versions of Safari and Chrome, at minimum. It would've been a fresh XF2 dev instance, likely protected by Cloudflare Access (which adds its own cookies).
Also, this likely would’ve been tested with a free Cloudflare plan. I may have also attempted to reproduce it on a Pro plan, but I wouldn’t have tested it on anything higher than that.
Without solid info and a reproduction case we can limit the cookies to maybe 3KB or so but hard to know if that’s sufficient to avoid the case you ran into.

I’ve got some code written that limits the cookie sizes for now at least which I’m testing.

I’ve only tested Chrome so far and that had no issue on our set up here, but I can test it elsewhere and with different browsers. Including with CloudFlare free. But any further info you have might be useful.
I think 3-4 KiB is plenty. I probably ended up with something much larger than that; I believe I selected around 10 pages of conversations with relatively large IDs.
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.6).

Change log:
Limit the size of each inline mod cookie to 3KB to avoid excessive header sizes.
There may be a delay before changes are rolled out to the XenForo Community.
Top Bottom