request on iis with more than 999 characters single value in cookie are getting blocked and no specific rule to fix

[HumanUndead]

using owasp mod security on iis version 2.9.7, after june update the following bug started to happen

requests with a single cookie variable value of longer than 999 characters are being blocked with err connection reset or http protocol 2 error, no specific reason for the error is being logged.

note that its per variable length not on the total length of the cookie, so requests with two cookie variables each for example is 800 characters will pass.

no logs in the event viewer, and no clear rule id to find out what is happening.

disabling modsecurity the requests passes without a problem.

[airween]

Hi @HumanUndead,

sorry to hear you faced with this issue.

Could you clarify what version you had before "June update"? In June, we released 2.9.10, before that the stable release was 2.9.9, but unfortunately we had a separated issue: the version string in IIS module wasn't updated, so 2.9.7, 2.9.8 and 2.9.9 was visible as "2.9.7".

With this info, I can check what related modifications were after your used version.