Reputation: 23
Too many permissions in Permission based authorization cause cookie overflow
I have a custom authorization. it uses a stored procedure to check if the user has access.
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, OptekRequirement requirement)
{
// Log as a warning so that it's very clear in sample output which authorization policies
// Check the user's age
var userName = context.User.Identity.Name;
if (userName != null)
{
var permissions = _dbContext.OptekAuthorizedto.FromSqlRaw($"EXECUTE VerifyAuthorizationRule '{userName}','{requirement.Rule}'").ToList();
var permission = permissions.FirstOrDefault();
if (permission != null)
{
context.Succeed(requirement);
}
else
{
_logger.LogInformation("Not Authorized");
}
}
return Task.CompletedTask;
}
I have permission in my database like this
public static class Invoice
{
public const string View = "Permissions.Invoice.View";
public const string Create = "Permissions.Invoice.Create";
public const string Edit = "Permissions.Invoice.Edit";
public const string Delete = "Permissions.Invoice.Delete";
}
I assign the role to the user and then I assign the role with permissions. For example:
user1 is the admin and the admin has the access to Invoice page.
And I have permission for all my pages (560 pages).
If I keep adding permission to my role, at some point, I will not able to log in. And I will get a 503 error. Then If I remove some of the permission, My program begins to run again.
My theory is .NET writes all permission to the cookie and then it becomes too much.
How can I solve this issue?
From the HttpRequest I can see this
Set cookie: .AspNetCore.Identity.ApplicationC1=CfDJ8HcqA48u9dlJhQCS1I7dylHXAGtk-B2f164O4jmKJz339TbUPtGAKoDc8RRUbf9k7JlXkPxPxtwYyrSeD80XNjHUEVSzIOIhkvvrTInvXFibgYFmygMAbJAYNw6-Ff9VyB4evNnvIe0mmZGsTp-3ZjCdxXTvecWmhli_raq84Zl9alytSiNv2Mo8FVM72D0PylAYDEf9h9iiZWGncrHR7YsbhJ1hk9WiyBx0kDxWmM1W9SLEi4rjevmibSdU_QkQd-Dg2kEBTLWlW38KgX0tkqDHbuz7ZPQOMT_EYebZyK3yY15PVR8Yjygmq2vZvkIT69-EwHY7jIOKUCt7MGlK312mm8QoB5kPDnSJHMxvyuVzcbSu-gt1aNrrryo65gV134HX4_JFcuSdWeby7f0aeRNGPQJ4flUn4A-t18AGoIdweshiNb4JNlvXmUy_tBzph7gE1dlfIwfckksw5nDsJPzg5JXECPVajpheUGgETSejtIp1f5kyu18RKW7b0NL5e2TbN3PPCeo_lWEW1MGYYhxwZbfJ6BXhmb9M_KzQWqNeSQEndwi5jJ9u-rIW4q2roTg4lZ3B5sc81lTsbW9Jxg2mv4NvdVifBvb5l1dU4ccBvdADcFapY67OWN0C6BqVzl7rVegXJ4jfcmSL_LFiOzDQlrVsxGu2YyBMZcuDLqmWs2QzHU4NVyWgcz_Rkr-YgfDMsP2upaLLB5wJ0Iv33Pyg81QJ-LdsR6qvUvi2OYGsma9tIjBvalgK61PiJESdCpzKG4ZiZMaY6vQ1Zs9ZDZKJqJacWS-aszMc5ALl89jhaz6ROkmlF_Qg_CJ64yJUK5_BtOI_SSjQzNHD8Y1PeNUdy_Y-eTqS1IbQyyjSLOX3WNb_KqOJYlNAtA8cqPrgxzkfjvs0IG-gRfPSF1_9sw5EHbpAuM1zpPO5hxzda3_9vcEt-qubjyRIx3u95hM8EtzKJPb89h6_O6lyW57AQxHH7ui1zLt4AE4e0eL7k_c5-hi09eAzP0FgR_HyGyGGJW9szl41PJFDbb7Plr02vcJKRaPBbfxDnyqhw573SOkIZLDgELRgkDVoiNsgKGTFcxZTxx8JtETXsQ9g2lm1BwxVxADvM68rAMQjjpMzLHkk768RGk6anJ48fErKNVK4nn5Ex7N4hIx0fpQDPLWG46BNDVOemTx3x6z4JgjM5EtsRG6QoFIT-4Z453rrFazUt-84QXvCAy1KV85LYkRXD9TrUmheAgWVca_da5WcPYrB3TsNOqOzqv2aGr44ONyaXjmxmXhDtQjGBk-NN-ueIfSGtzrI2UuGFbh5w6cvXvM5obYMNDP07B0jF8hy7Lu5OG3PyH4T7Buk5fLS5c1R6ZYPbrzTLNUIBwkIzGb8_AeOV-L4fFbbtLiPFNKBqSVr9jQSkxE35cgF-rSvzfuC5-wRgJSUO2mnag4XysMNLYZSwLKSir6eaDPuzyYfJ8q0IbqUZRNn8fnuIaHSIUB_tRJqmxOlfUIohiUeXOyvoMwyL1iTevK6joghgvO8nQteXMfNPUNHs2bg7u0br_mUeEVAxargeszimtDD1xgcC5o3urUPtxbgk1a_Ks3hvVzdHW4_p4RLWrmwm4IiZb3zZayYYGy90uiHOQpCXtXeFKLq5qLU7SVJ7Jl-__8Q8S_JXvsIrq8DSuhQ-lyqbSUuS6k3emb9124Y2D5j4al67N53cm8-ho-7J-bDGD4PWRGsb_lNZr6tr4OIZRkFiICgwDVhDSCzTqyXFz6kGyTpnN1g0u_DCndiiM8gBDAFQy1AWqcI4RptSclWyyvt_IqQMq1CVQ-fRxppifUJf8fN5nEmOSwnJW7y7FBRuHorSvo9SAnf7NlZCeoMmmF0-Lq1ZmqR7CbUlbnI6vAfmFiGhybMXPoBt1ogCbNpskGIgDGBmPMPYyYLfvXphvEvDH8hXBRHhaDjFjLYsnvuzFgIMBASyaBiUGAc8gOvrwSfd81U2tDUSiSiMa7n84n2gnoXhEvR33blF197HJsAknK6HANNQZsaJ7gNhkIZeKK5VmC2BHcoWMv-MqDXngPGzNPj8pNb0hXsB5QiuafRoNI8FGTFwEyc6KIad7jBnbs4vt_7bHlXri79YIlAABwfpJdk7ZQFuMcpYASkWT7mhwwpysyn021YVj_w2iASPwdRh_vJDTbMcGWZsrBYM5E7SbHPDC4w8T_7aX6Z4eSo1ENDfp-G54b9VA3Bz-D_XIk7D-_F59jFUyH8-KmhA2qPBr6Ictyb89ZJboTmUdxRDs3wojbcztfYDFBd1ICn90IsS1a8Ffq9KnxhfudIKtxZRd99mlssRxXR0e5J4V-wq5xtAvkT-PPCcQTon1tKj7kLlTCqbzZl1neU1yoZ_7jAmETyB5_CyBRfz9omCHKLe3Bp_dIKJlFLukKetHslc1USxFS2gkLvuhdwn2HxnF3bdYMKfJ1sj9D8V4_AHm5cKvrOpXFEmwO_nvP3hL6_YJbc4ApKxZdR4UaZGBXl9Uh3eaCiwmccOmtVKx9fjQySj7QCcXB-rsW1YivE1qCyrlDrd7vSDvD4pSRJEmJ4ySMhdN_zpZKIuM4257Ji04yiERGiMgCZQJASlP5WwLAbbewSyJt8sBmaAAxLDWKxTB_1LUaaOLzoILqqSj3cj0wof4uHWEawXWd56qGIwvMcgsrvx3GqNwwvPk276fed4ZjlTltitc-YHsM7gw3tE8DuKgPbbR__nRRhmMadVBhoNkUayyF3doErQ7iEVrWVmlmx8nyLEhjQJxPA554CRObkZA37HVsIlj2bHm0SCyY6o8GD860uuArktUA8U50UwbgRj-TUZjiDOcdGemqVfgsUCCE45SmlVGlsyk-JUOu1G68RwPXBZSTr_9oD7SIaZfjW3kaDQ6h3jjf6zeXM525OWCTHp-_hdAnqvDMpoyag5QIJwNN2cnsmHZH8M3GIzABPBvdTJaR78LyhA1fDMDZGZt5eB_Iyin8fYjzjx7Db5kpm1mOeV_sG0cOhYtv_P4Qajm3FvQjctK8_I4fx3TAgZ6q_vQxn8v2muJswVdOWzYBJI5dJ-Ys_RglKU1xS0P9ZOLceP_dvGZvsRrs54gI0PkITKhr_4JZ5yW9nd0RoTEglFCzA90hhUjX2p8Up1D6kREwUpqK96AZzSkpHBVU30RGP7caoqk3dLUS03u9v7A-rzIH3QpmAZ8IQbBDUf2VTJziwaX4wPfiHf3gktCKYxfjm-QFIiLgwKj9r6VI_N33-bqjGXcwfkQwEw5nKyWAt74IKM2RpIIYRxocF0rR2lg0K5YQA_mTx1hLqfKp8--EsUujZqU3IOC-lwvWtDQjubcguc0soKSBzrwD-pdz9dtPv2yOHEH3W9L6ODNUnvKjhHID-YRjjXoTN5e3ndRfo0I31T8GcIazi5Ud53fIrB6fVdYfFxBYlSlibxQyUFp7hgrK5GlMrYQNzTANHvuYIkuWgQ6QMUlnEUdYgjkxj_Oyn9J8NsAgMV4FsQlOk-vD3DVBNbwtjGBD-xaTOXaHgSnk0F-W93gMZtwu8Tk5s1FXVpPIjR-FnmfofMeXHwoNp2EhEE4p1IP6vkSuMKRV5lEYNnPJiCpJUsU-5X3j_Ugoz6fufx9MfeZlhmH6FbxhfFoX2EJfA7JEhoTaFlTYW65d0YGe_ndHyOHyNpLXWlG2phFWTswHQ4QYMONGCLVkmui9cgbcXR-dscSwUG3rOFcdTHPgposqm6CVs2X1YIqRG_JwINlGnsdKjMBscyaeg-H-Oa2XKklfqNcTDLe2WULrH2MiswQG6bF1nZ-wt7gP_a4YYfvR1eBSKAMMjn5NK7X0SQqlehsIAgwAm1Ds5OdjgHFaVaYFVjdnPLdxubpxydPCumYHmO8pPSI2CbsGWYoX7g7hXbrevzRCYpTUNu29S4cTZ3fq; expires=Thu, 04 May 2023 16:59:48 GMT; path=/; secure; samesite=lax; httponly
I try to assign less permission to the role and my program starts to work again, but I don't know how to solve this issue
Upvotes: 1
Views: 218
Answers (1)
Reputation: 23
The issue happens because the entity framework core default log-in method loads all the userRole-Permissions into the cache. In my project, I don't read the cache to get permission but I do a database query. So to solve this I create a separate table to store the Role-Permissions, so the default log-in method will not read my permissions and cache them.
Upvotes: 1
Related Questions
- Claims Stored in Cookies Exceed Max Request Header Length
- Asp.net core cookie authentication too many requests
- asp.net core cliam based authorization throw "HTTP Error 400. The size of the request headers is too long." when large number of claim is set
- Razor Page Authorization stuck in loops with external cookie
- Cookie Authentication not working with Authorization policy in asp.net core
- Asp.Net MVC 6 Cookie Authentication - Authorization fails
- Authentication cookie not being read when using [Authorize] attribute
- Using the Authorize Attribute with Custom Cookie Authentication in ASP.NET Core
- C# ASP.NET MVC - Storing group permissions in Owin cookie
- .ASPXAuth Cookie changes during session