From 0afe7d00ddec86b30a58c42f575ad170ab01d95d Mon Sep 17 00:00:00 2001 From: Moncef Belyamani Date: Fri, 3 Aug 2018 11:19:32 -0400 Subject: [PATCH] Remove unused code that inflated our session size **Why**: This is the root cause for the KMS errors we experienced in production yesterday. We were storing the OIDC request params in the session for no reason. The more parameters an agency included in their initial OIDC request, the bigger the session size. In the case of USAJOBS, storing this data in the session increased the length of the string that was sent to KMS after 2FA from 2948 to 4128. There were exactly 2 SAML requests during the outage, so they played an insignificant role. This most likely affected every single USAJOBS session, which accounted for 74% of requests during that time. I don't believe TTP was affected. The rest of the requests (4% of total requests) came from 3 other SPs that I haven't looked into yet. Note that this only solves the problem for LOA1 OIDC requests (as they are currently made). SAML requests remain much larger than 4096 bytes. In general, this KMS limit problem can be solved by one or more of these solutions, which we have considered in the past: - Storing the SP requests in the DB instead of the session - Only encrypting the info that needs to be encrypted, as opposed to the entire session --- app/controllers/openid_connect/authorization_controller.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/app/controllers/openid_connect/authorization_controller.rb b/app/controllers/openid_connect/authorization_controller.rb index 3d499416659..c0be8f8155c 100644 --- a/app/controllers/openid_connect/authorization_controller.rb +++ b/app/controllers/openid_connect/authorization_controller.rb @@ -62,8 +62,6 @@ def identity_needs_verification? end def build_authorize_form_from_params - user_session[:openid_auth_request] = authorization_params if user_session - @authorize_form = OpenidConnectAuthorizeForm.new(authorization_params) @authorize_decorator = OpenidConnectAuthorizeDecorator.new(