MAXURL size

book

Article ID: 198326

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Web Agent and when one application redirects request
to another Web Agent, then the request fails saying that the URL is
too long. We'd like to know if there are security concerns to raises
the IIS MaxURL to 8k ?

 

Environment

 

Web Agent 12.52SP1CR10;

 

Resolution

 

At first glance, we don't have any known security concerns from our
documentation, and from Microsoft documentation neither. It seems
there's no limit to the value according to Microsoft :

  Request Limits <requestLimits>
  https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/requestlimits/

More, we reported some experience where IIS maxQueryString
configuration might help to handle long URL :

  404 error with login.fcc with SP Initiated SAML 2.0
  https://knowledge.broadcom.com/external/article?articleId=101617
  iOS Gmail app shows blank page on login.fcc
  https://knowledge.broadcom.com/external/article?articleId=72458

The feature maxURL is something from IIS fonctionality :

  Request Limits <requestLimits>

    maxUrl Optional uint attribute.

    Specifies maximum length of the URL, in bytes.

    The default value is 4096.

  https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/requestlimits/

There's no known limit at the Web Agent level.

There's no feature known as MaxURL for Apache. 

Be aware that there are some limitation on Apache and also on the
browsers too :

  What is apache's maximum url length?

    The default limit for the length of the request line is 8190 bytes
    (see LimitRequestLine directive). And if we subtract three bytes for
    the request method (i.e. GET), eight bytes for the version
    information (i.e. HTTP/1.0/HTTP/1.1) and two bytes for the
    separating space, we end up with 8177 bytes for the URI path plus
    query.

    [...]

    Did you have to recompile to use such large values? My version
    (2.2.15) silently ignores LimitRequestLine directives over 8190
    unless recompiled with the added CFLAG "-D
    DEFAULT_LIMIT_REQUEST_LINE=16384" (then it allows up to 16384)

  https://stackoverflow.com/questions/1289585/what-is-apaches-maximum-url-length

and

  What is the maximum length of a URL in different browsers?

    Extremely long URLs are usually a mistake. URLs over 2,000
    characters will not work in the most popular web browsers. Don't use
    them if you intend your site to work for the majority of Internet
    users.

    [...]

    As of Jan 2020, the advice still stands. Even though IE11 may
    possibly accept longer URLs, the ubiquity of older IE installations
    plus the search engine limitations mean staying under 2000 chars is
    the best general policy.

  https://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers