Tomas Fojta wrote previously about issues with Cloud Director errors having to do with excessively large cookies. This is a common problem for cloud providers where there may be multiple web applications, some of which fail to properly limit their cookie scope. At the moment I am writing this, my browser is sending about 6.7kB of cookie data when visiting cloud.ibm.com. This is close to the limit supported by Cloud Director, and sometimes it goes over that limit.

Tomas suggested an approach using the NSX load balancer haproxy configuration to filter cookies. Unfortunately, Tomas’s approach does not cover all possible cases. For example, it does not cover the case where only one of these two cookies is present, and it does not cover the case where there are additional cookies in the header after these two cookies. Furthermore, there are additional cookies used by Cloud Director; at a minimum this includes the following:

• JSESSIONID
• rstd
• vcloud_session_id
• vcloud_jwt
• sso-preferred
• sso_redirect_org
• *.redirectTo
• *.state

If you have a known limited list of cookies (or cookie name patterns) like this that you want to pass to your application, it is relatively easy to program a positive cookie filter with an advanced load balancer such as VMware Avi Load Balancer. But if you are using the NSX embedded load balancer and are limited to the haproxy approach of using reqirep with regular expressions, it is an intractable problem. Therefore, instead of using reqirep to selectively include the cookies that Director needs, I recommend the approach of using reqirep to selectively and iteratively delete cookies that you know are likely to be large and to overflow Director’s supported limit. It may take some iterative experimentation over a period of time for you to identify all of the offending cookies.

For example, we can use the following four rules to remove two of the larger cookies for cloud.ibm.com, neither of which are needed by Director. For each cookie I am removing, I have written a pair of rules: the first rule removes the cookie if it appears anywhere other than the end of the cookie list, and the second removes it if it is at the end of the list:

reqirep ^(Cookie:.*)com\.ibm\.cloud\.iam\.iamcookie\.prod=[^;]*;(.*)$ \1\ \2
reqirep ^(Cookie:.*)com\.ibm\.cloud\.iam\.iamcookie\.prod=[^;]*$ \1
reqirep ^(Cookie:.*)com\.ibm\.cloud\.iam\.Identity\.prod=[^;]*;(.*)$ \1\ \2
reqirep ^(Cookie:.*)com\.ibm\.cloud\.iam\.Identity\.prod=[^;]*$ \1