20131013

Healthcare.gov chokes on its own cookies

After signing up for an account on Healthcare.gov, I was unable to login. Each time I tried to login, I got a blank page. After many unsuccessful attempts over a span of many hours, I then tried a different browser, and successfully logged into the system. Then after some use with a browser, login attempts resulted in a blank page.

Searching Twitter revealed that many others were tweeting about having the same problem. The response they got from Healthcare.gov was the same as I had received when I contacted support: that glitches were occurring due to a large number of users on the site, and that I should be patient and try again later -- preferably in early morning hours when there was less site traffic.

Not being so patient, I compared the network traffic of the browsers that could successfully login to those that failed. Those that failed returned an HTTP 400 (Bad Request) error for the userprofile request; while those that succeeded returned an HTTP 302 (Moved Temporarily) status.




HTTP 400 means that either the URL or the request header sent by the browser to the server is malformed. Request headers contain information about the browser's capabilities and cookies. Cookies are small pieces of data placed in your browser by a server in order to identify you and your activity on a web site.

The userprofile URLs for both the working and the failing logins were identical. However, the cookies were significantly different. The total size of the cookies was much larger on the browsers with the failing logins -- specifically a couple cookies that contain information about activity on the LEARN side of Healthcare.gov.

For example, one of my browsers that failed to login was sending requests that were over 4600 bytes:

GET /marketplace/auth/userprofile HTTP/1.1
Host: www.healthcare.gov
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Referer: https://eidm.cms.gov/successffmeng.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie:
JSESSIONID=[47-byte value];
optimizelyEndUserId=[35-byte value];
querystring=[31-byte value];
qa-complete=[152-byte value];
quickAnswers=[315-byte value];
optimizelyCustomEvents=[113-byte value];
history=[1048-byte value];
language=[30-byte value];
optimizelySegments=[175-byte value];
optimizelyBuckets=[6-byte value];
akaau=[46-byte value];
_ga=[27-byte value];
__utma=[56-byte value];
__utmb=[25-byte value];
__utmc=[9-byte value];
__utmz=[106-byte value];
__utmv=[144-byte value];
_chartbeat2=[53-byte value];
_chartbeat_uuniq=[1-byte value];
PRUM_EPISODES=[478-byte value];
AKSB=[478-byte value];
ObSSOCookie=[540-byte value]

(In the above example, I replaced the actual cookie values with their size.)


From the information in the response headers from the server, I learned that the userprofile request is handled by an Apache Coyote server. A quick web search revealed that Coyote's default maximum HTTP header size is 4096 bytes.

So, I edited my cookies down until the full header of the userprofile request was under 4096 bytes, and my browser that had been failing to login successfully logged me into Healthcare.gov.

The cookies created by the LEARN side of the Healthcare.gov site (combined with all the tracking cookies), caused the total request header to become too large for the GET INSURANCE side's user profile page to handle. The site is choking on the cookies it generates.

So, this login problem appears to have nothing to do with the number of users on the site. The problem is due to the amount of activity done on the site by an individual user. Those who did not do enough to make the LEARN side of the site's cookies large enough to exceed the 4096 byte limit could successfully login. Those who did a lot of browsing of the site could not login. Clearing cookies will temporarily fix the problem.

If you are having trouble logging into Healthcare.gov, try clearing your browser's cookies.

All those phone and web chat support people telling people to be patient and try again are not addressing the problem. They are only giving users more reason to become frustrated with something that is not related to system load.

Perhaps there are other reasons that others aren't able to login. For me, it appears to have been the size of the cookies.





UPDATE 11/04: I am once again encountering this problem. Deleting the history cookie that gets generated while browsing the LEARN side of the site temporarily fixes the problem.

10 comments:

  1. And after viewing only a few more info pages in the LEARN part of the site, I was once again unable to login. Deleted some cookies to put the total header size under 4k, and I can login once again.

    ReplyDelete
  2. Ben,

    When are you going to submit your bill for Testing Services?

    Jim Hazen

    ReplyDelete
  3. Ben,

    These are impressive bugs you're reporting. Thanks for sharing not only the bugs themselves but also your background investigations into what caused them.

    Justin

    ReplyDelete
  4. You are right on with this but clearing cookies doesn't work if the site is on the users favorite list (as it was mine).IE preserves data and cookies for favorite sites. Easiest thing to do is delete the favorite, then delete cookies and make favorite again if desired.

    ReplyDelete
  5. Hey Thank you for this! My profile came up blank until I cleared the cookies for the healthcare.gov site. It worked on deadline night March 31st, 2014 which means that the same thing is still happening! Please try to get this information to the website managers. People are waiting in line unnecessarily. In addition, the "wait here" page tells you to do things on the LEARN side while you wait, which makes the problem even worse!

    ReplyDelete
  6. I'm still having all these problems. I am in the middle of a new revised application and cannot get back into the site no matter what I try to do so I can complete my application.

    ReplyDelete
  7. Ran into this problem today. Amazing how this remains an issue after a full year...

    ReplyDelete
  8. Excellent analysis and workaround.... Many thanks!

    ReplyDelete
  9. I created an account by entering my email address and making a new password. I got sent an email verification link, and then I get this error:

    ------------------------------------------------------------------

    Oops. The Marketplace couldn't verify your email address.

    Please wait and click on the link in the email we sent you to verify your email. (If you're copying and pasting the link, make sure you copy the entire link).

    If you're still having trouble verifying your email address, call the Marketplace Call Center at 1-800-318-2596. TTY users should call 1-855-889-4325.

    If you've already verified your email address, you can log in here.

    ----------------------------------------------------

    When I try to login, they said my email hasn't been verified. When I click the verify email link, that same error keeps appearing. There is no way to re-send the verification link either. I called their 1-800 number, and the person on the phone said they can't do anything to activate my online account and that I would have to MAIL everything in. Insane to think how much money is invested into this site and they can't even bug-test the account creation process.

    ReplyDelete

  10. Hi there to every one, the contents existing at this web page are genuinely remarkable for people experience, well, keep up the nice work fellows. gmail email login

    ReplyDelete