We're experiencing the same issue on 4.2 on two Nop sites.
Short message Error 400. Bad request Page URL https://www.[removed].com/login?returnurl=%2F Referrer URL https://www.[removed].com/
Screenshot of what it looks like on iPad: https://www.dropbox.com/s/osx60x914303x51/loginerror.png?dl=0 Clearing cookies on device did not help. After refreshing the page, and retrying the login, it goes through successfully.
We're getting completely random 400's on the following (using 4.30):
/login /cart /register /passwordrecovery
Either guest accounts, or accounts with email addresses! The site works perfectly fine by the way, but these 400 bad requests pop up daily in the logs.
We faced similar problem in a project after migrating from 3.60 to 4.20. Thus, we took help of nopCommerce team to check further and as per their suggestion, We enabled std logs in the live environment so we found following:
There are two common logs for bad request, we found the 1st log is repeated and 2nd one is only once in all the log files.
1) info: Microsoft.AspNetCore.Server.Kestrel[17] Connection id "0HM2OKQUF523C" bad request data: "Malformed request: invalid headers." Microsoft.AspNetCore.Server.Kestrel.Core.BadHttpRequestException: Malformed request: invalid headers. at Microsoft.AspNetCore.Server.Kestrel.Core.BadHttpRequestException.Throw(RequestRejectionReason reason) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.Http1Connection.TryParseRequest(ReadResult result, Boolean& endConnection) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequestsAsync[TContext](IHttpApplication`1 application)
2) info: Microsoft.AspNetCore.Server.Kestrel[17] Connection id "0HM2OMCONLCIN" bad request data: "Reading the request body timed out due to data arriving too slowly. See MinRequestBodyDataRate." Microsoft.AspNetCore.Server.Kestrel.Core.BadHttpRequestException: Reading the request body timed out due to data arriving too slowly. See MinRequestBodyDataRate. at Microsoft.AspNetCore.Server.Kestrel.Core.BadHttpRequestException.Throw(RequestRejectionReason reason) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.Http1MessageBody.PumpAsync() at System.IO.Pipelines.PipeCompletion.ThrowLatchedException() at System.IO.Pipelines.Pipe.GetReadResult(ReadResult& result) at System.IO.Pipelines.Pipe.TryRead(ReadResult& result) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.Http1MessageBody.OnConsumeAsync()
To solve 2nd, we added .UseKestrel(options => options.Limits.MinRequestBodyDataRate = null) in Program.cs file before .UseStartup<Startup>()
For 1st, we found these two URL: 1. https://github.com/dotnet/aspnetcore/issues/6799 2. https://github.com/dotnet/aspnetcore/issues/7707
This clearly tells that this is a .net core 2.2x issue and we had to enable proxy in site to solve WindowsAuthentication issue which we have implemented.
Clearing cookies is not helping in any case on IE 10 / 11. But on a different browser, it's working. The problem is that the client cannot move away from IE because this project is being used in more than 70 countries and as per their standard they have to use IE only.
I ran across a 400 error yesterday on 4.3 when trying to login. It turned out that the AdBlocker plugin on the browser was killing the nop Antiforgery cookie and nop would return a 400 in response.