search cancel

MAXURL size allowed for a URL in Web Agent Apache and IIS

book

Article ID: 198326

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Web Agent protecting one application, and redirecting requests to another Web Agent, then the request fails to say that the URL is too long. Is there are security concerns to raising the IIS MaxURL to 8k?

 

Environment

 

Web Agent 12.52SP1CR10;

 

Resolution

 

There are any known security concerns from our documentation, and Microsoft documentation either. It seems there's no limit to the value according to Microsoft (1).

More, some experiences have been reported where IIS maxQueryString configuration might help to handle long URLs (2)(3).

The feature maxURL is something from IIS functionality (4).

There's no known limit at the Web Agent level.

There's no feature known as MaxURL for Apache. 

Be aware that there are some limitations on Apache and also on the browsers too (5)(6).

 

Additional Information

 

(1)

    Request Limits <requestLimits>
    

(2)

    404 error with login.fcc with SP Initiated SAML 2.0
    

(3)

    iOS Gmail app shows blank page on login.fcc
    

(4)

    Request Limits <requestLimits>

      maxUrl Optional uint attribute.

      Specifies maximum length of the URL, in bytes.

      The default value is 4096.

    

(5)

    What is apache's maximum url length?

      The default limit for the length of the request line is 8190 bytes
      (see LimitRequestLine directive). And if we subtract three bytes for
      the request method (i.e. GET), eight bytes for the version
      information (i.e. HTTP/1.0/HTTP/1.1) and two bytes for the
      separating space, we end up with 8177 bytes for the URI path plus
      query.

      [...]

      Did you have to recompile to use such large values? My version
      (2.2.15) silently ignores LimitRequestLine directives over 8190
      unless recompiled with the added CFLAG "-D
      DEFAULT_LIMIT_REQUEST_LINE=16384" (then it allows up to 16384)

    

(6)

    What is the maximum length of a URL in different browsers?

      Extremely long URLs are usually a mistake. URLs over 2,000
      characters will not work in the most popular web browsers. Don't use
      them if you intend your site to work for the majority of Internet
      users.

      [...]

      As of Jan 2020, the advice still stands. Even though IE11 may
      possibly accept longer URLs, the ubiquity of older IE installations
      plus the search engine limitations mean staying under 2000 chars is
      the best general policy.