How to prevent “HTTP Error 431: Too many cookies” on wisc.edu sites

This document outlines how to resolve and prevent browser errors that you may encounter on a subdomain of wisc.edu related to third-party cookies. It also provides a summary of the cause of the issue and remediation efforts taken to date.

What the error looks like

You may see any of the following errors in your browser while attempting to visit a website on a subdomain of wisc.edu: 

Bad Request

Error 431 - Too many cookies

403 Error

These errors occur on all sorts of *.wisc.edu sites, and on a per-visitor basis, but not because a website is actually down.

How to prevent the issue as a website visitor

Clear your browser cookies

If you encounter one of the errors above while visiting a website on a subdomain of wisc.edu, you will need to clear your cookies in order to correctly view the site on your browser. To clear your cache and cookies:

  1. Clear your “All Time” browser cookies (Note that some browsers will default to only clearing cookies for the past hour. You may have to manually update that to say “all time” or “all” cookies.)

  2. Close your browser window, and 

  3. Restart your browser. 

If clearing your browser cookies and cache does not resolve the issue, the error is likely unrelated to browser cookies.

Consider an ad blocker

While it is the responsibility of website owners to implement cookies correctly, you may consider installing an ad blocker for your browser to block cookies from being set when you visit websites.

How to prevent the issue as a website owner

Website owners are responsible for correctly implementing third-party services in a way that scopes cookies to the subdomain of their site (*.wisc.edu), rather than to the wisc.edu top-level domain. Specific steps to follow include:

Scope cookies to your subdomain

If you’re using a third-party service tracking pixel that sets cookies, check the documentation for that service to find out how to scope the cookies to your specific subdomain. 

Discontinue use of tools that don’t allow you to set the cookie to your site domain

If a third-party service does not offer a mechanism to scope the cookies to the proper subdomain, the service should not be used on your website. 

Note: One such example is Hotjar. Hotjar is one of the biggest culprits for this issue as it sets the cookie at the wisc.edu top-level domain and doesn’t offer an option to change it. Hotjar cookies are also quite large, which is contributing to users hitting the cookie limit more quickly. Hotjar should not be installed on any website within the wisc.edu domain. Read more about how cookie tracking is applied with Hotjar.

Set a shorter expiration date for your tracking cookies

The GDPR and ePrivacy Directive recommends a lifespan of one year or less for tracking cookies. 

Specify only one subdomain for tracking cookies

Having multiple subdomains for tracking cookies can compound the issue.

Upgrade your UW Theme version

We also generally recommend that you upgrade to the latest version of the UW Theme if you are using it. WiscWeb sites are always on the latest version. 

What is causing this error?

Browser cookies are small pieces of data sent to and from your browser when you visit a website. They help identify you, store preferences, and personalize your online experience. Many subdomain websites under wisc.edu use third-party services (like Google Analytics, Meta Pixel, LinkedIn Pixel, DoubleClick, Hotjar, etc.) that set tracking cookies. 

The error described in this document is happening because many of the cookies being set at sites that fall under wisc.edu are scoped to wisc.edu, rather than to the specific subdomain. That cookie is then passed in the site headers when someone who visits that site visits any other wisc.edu site. When someone who has been unwittingly picking up cookies visits another *.wisc.edu site, if the header size limit is exceeded, the request will error out and that person cannot reach the site. 

This has been an ongoing issue since early 2023 (possibly even fall of 2022). We think this could have been impacted by the change from Universal Analytics to Google Analytics 4, but are not certain.

Here’s what we know:

  • Web tracking tools like Google Analytics, Meta Pixel, and Hotjar set cookies when you navigate to various campus websites.

  • A lot of these tracking cookies are automatically set to the .wisc.edu top-level domain. Therefore, when users visit any subdomain of wisc.edu, these cookies keep adding up.

  • Tracking tools often set the cookie for 1-2 years, so the timeline for a user to accumulate a ton of cookies is VERY long. Over time, the size of the cookies become too big for the server to handle, causing a broken page or an error screen.

  • Most servers have a request limit of 8,000 bytes. If a request comes in with more than the allowed size, the server rejects the request. Cookies contribute to this limit.

What have central campus services done to help?

Since the cookie error was first identified in early 2023, DoIT Web Platforms/Services (WPS) and the Office of Strategic Communication have been taking steps to help remediate the issue. Here’s an overview of the changes that have been made:

  1. The UW Theme was updated so that Google Analytics cookies do not get set to the top level .wisc.edu domain. Instead, it uses the domain of the site with the Google Analytics tracking installed on it.

    1. Note: This fix does not apply to services added via Google Tag Manager. These must be set in the Google Tag Manager dashboard by the owner of the GTM account.

  2. WiscWeb and MyUW were updated to display a more helpful error, to help users understand what they need to do.Error 431
  3. The Office of Strategic Communication increased server limits related to header size for their own sites and services that they manage. MyUW has increased limits above defaults for the size of cookies in requests.
  4. On August 8, 2024, the Office of Strategic Communication implemented a script on www.wisc.edu that deletes all Hotjar cookies from the visitors’ browsers, as well as any Google Analytics cookies that are not properly scoped to their subdomain (see “How to prevent the issue as a website owner” for more information on scoping cookies to their subdomain).

Additional Help

For assistance with clearing your cache and cookies, please Get Help from DoIT.

For other assistance, please contact your local IT: IT Help Desks at UW-Madison.

For more information about cookie tracking at UW-Madison, please visit the campus Cookies and Tracking webpage.



Keywords:
cookie, cache, browser, bad request, too many cookies, error 431, 403, web tracking tools, server limit, request header fields too large 
Doc ID:
137109
Owned by:
Abhishek D. in DoIT Help Desk
Created:
2024-05-03
Updated:
2024-09-05
Sites:
DoIT Help Desk, DoIT Help Desk Level 2 KCS, WiscWeb