0

I have an app running on Google app engine (Flask, python 3, flexible environment) using the Identity-Aware proxy to allow everyone in our organization (which uses GSuite) to control access. Recently we've been getting 413 errors.

When I looked at the cookies of the failing requests I expected to see one request cookie prefixed with GCP_IAAP_AUTH_TOKEN. Instead I see 11, each one slightly different. Their combined sizes put us over the 15kb header size limit indicated in the link below, causing a 413 error.

https://cloud.google.com/appengine/docs/flexible/go/how-requests-are-handled

I don't understand why there are so many cookies, or how to make them go away. Our users all use Chrome, and many but not all of them are intermittently running into this error. Those that aren't, when their cookies are inspected, show only a couple cookies with this prefix. See below for an example of what this collection of cookies looks like:

Eleven IAP cookies in a single header

TasosV
  • 644
  • 5
  • 12
aaymeloglu
  • 1
  • 3
  • The user receives a session cookie referencing their Google login session. Cloud IAP uses this cookie to confirm that the user is still signed into their Google account. The issue could be occurring because you have multiple active sessions. – JKleinne Aug 13 '19 at 23:13

1 Answers1

0

Posting what ended up solving this particular instance of the problem in case something like it occurs to other people in the future.

The original IAP code for our project was written in 2018. At the time, IAP had a known issue requiring re-logging in every hour. The suggested workaround from this thread was to use a hidden iframe.

https://issuetracker.google.com/issues/69386592?pli=1

We followed that guidance, but Google fixed the underlying issue in June of 2019. Now, following that guidance causes a gradual accumulation of session cookies in the headers. Removing the no-longer-needed offending iframe code solved the problem.

aaymeloglu
  • 1
  • 3