Too many cookies OpenIdConnect.nonce cause error page “Bad Request - Request Too Long”

Question

I\'m using OWIN / OAuth with OpenId Connect authentication (Microsoft.Owin.Security.OpenIdConnect) in a C# ASP MVC web app. The SSO login with Microsoft account

Answer 1

For me the solution was to enforce the creation of an ASP.NET session.

Steps to reproduce:

• Delete ASP.NET_SessionId cookie and idsrv cookie on a protected page of your webapp
• Reload page
• Redirect to OIDC authentication store and authenticate
• Redirect back to webapp => validation of the authentication fails, because no asp.net session is available
• Endless redirects until 'Request too long...' error happens

Solution: Enforce session creation by adding

protected void Session_Start(object sender, EventArgs e)
{
}

to global.asax.cs.