W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Header Size? Was: Our Schedule

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 29 May 2014 07:25:44 +0200
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: ietf-http-wg@w3.org
Message-ID: <20140529052544.GG25451@1wt.eu>
On Thu, May 29, 2014 at 04:52:51PM +1200, Amos Jeffries wrote:
> Personally I am in favour of 64K limit on headers. However, the
> Cookie/Set-Cookie size problem is a hard nut to crack.
> Also might I remind that Squid already has a few complaints about our
> 32KB default limit and people patching the code to handle >64KB
> individual header length for auth tokens in NTLM/Negotiate logins when
> (long) lists of groups and SID are encoded inside them.

FWIW, haproxy ships with a 8kB default limit, and in our appliances
it's even 7kB. We had maybe only twice to explain to people how to
raise the limit, and each time it was because of an application bug
causing cookies to be duplicated for each request, resulting in
requests of several 10s of kB after hundreds of requests. I personally
don't expect such an application bug to drive the protocol limits :-)

Just like Greg, I think that 8kB is already a high reasonable limit
and that if we push it to 16kB we cover a most usages. It's possible
that Richard's stats include bogus applications and/or attacks BTW.

Received on Thursday, 29 May 2014 05:27:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC