Users have been sporadically reporting receiving HTTP Status 400 Bad Request errors for several months. Most users found the error resolved after clearing cookies and cache, but others reported that this only resolves the issue temporarily.

If a user follows a direct link to an item in CA Service Desk Manager, such as a link to a request from a notification or a link to a knowledge document, AND they have a cookie from a third party site that includes an ampersand, when SDM processes the link it includes all of the cookies into the URL. During our investigation, we found that it seems to be when $prop.initial_load_last_use is called that it does not properly handle cookies in the request and when a cookie contains a non-urlencoded ampersand, it will dump all cookies and values after that ampersand into the $prop.initial_load_last_use value and this can cause security issues as session cookies will be passed in clear text of the URL.

This can be further complicated as there are characters allowed in cookies that are not allowed in urls (where $prop.initial_load_last_use is used), which will cause tomcat to abort the request as it is a non-rfc spec character. This is what has been causing the reported HTTP Status 400 Bad Request errors.

Release : 17.2 and 17.3

Component : SDM - Classic UI

Issue is addressed in 17.3 RU11 and 17.2 RU18

See defect DE62904