After succesful login with access control, 400 error: Request Header Or Cookie Too Large

I’ve set up access control for a subdomain of the form using one time pin sent to my email.

This seems to work correctly. When I go to I’m presented with the cloudflare access control page which asks for me email, and then sends the pin to my email. When I enter the pin I am granted access.

However, at this point I get an error:

400 Bad Request
Request Header Or Cookie Too Large
nginx/1.14.0 (Ubuntu)

I can see there is now one cookie for the site which looks like this:

If I delete the cookie and refresh the page it gets recreated and I still get the 400 error.

If I go into Cloudflare for Teams dashboard → My Team → User → revoke access (and also make sure the cookie is deleted), then reload I see the login screen again, get sent a new pin, enter it, then I’m back to the 400 error and the process starts again.

That error means that your origin is rejecting the size of the Access login cookie. You should be able to increase the limit to allow for this to complete. Looks like w/ NGINX that would be client_header_buffer_size or client_max_body_size on your webserver configuration.

1 Like