Tuesday, May 20th, 2008

Browser cookie restriction research

Category: Browsers

Cookie monster

Nicholas C. Zakas was doing some prep work for his new book when he delved into browser cookie restrictions for the big four browsers:

The most interesting fact I discovered is that Safari places no limit
on the number of cookies that can be set per domain. In fact, you can
set enough cookies on the client to cause a server error as the cookie
header can be too long to parse.

He also found out that:

  • Microsoft indicated that Internet Explorer 8 increased the cookie limit per domain to 50 cookies but I’ve found that IE7 also allows 50 cookies per domain. Granted, this may have been increased with a system patch rather than having the browser’s first version ship like this, but it’s still more than the 20 that was commonly understood to be the limit.
  • Firefox has a per-domain cookie limit of 50 cookies.
  • Opera has a per-domain cookie limit of 30 cookies.
  • Safari/WebKit is the most interesting of all as it appears to have no perceivable limit through Safari 3.1. I tested setting up to 10,000 cookies and all of them were set and sent along in the Cookie header. The problem is that the header size exceeded the limit that the server could process, so an error occurred.

So the prevailing knowledge that browsers limit per-domain cookies to 20 is no longer valid. Another interesting inconsistency is how browsers react when too many cookies are set. With the exception of Safari, which sets all cookies regardless of the number, there are two approaches:

  1. The least recently used (LRU) approach automatically kicks out the oldest cookie when the cookie limit has been reached in order to allow the newest cookie some space. Internet Explorer and Opera use this approach.
  2. Firefox does something strange: it seems to randomly decide which cookies to keep although the last cookie set is always kept. There doesn’t seem to be any scheme it’s following at all. The takeaway? Don’t go above the cookie limit in Firefox.

The total size of cookies also varies from browser to browser. This is another one that is a little hard to comprehend, but here’s what my tests show:

  • Firefox and Safari allow cookies with up to 4097 characters, that’s 4096 for the name and value and one for the equals sign.
  • Opera allows cookies with up to 4096 characters, which is for the name, value, and equals sign.
  • Internet Explorer allows cookies with up to 4095 characters, which is for the name, value and, equals sign.

Posted by Dion Almaer at 8:53 am
9 Comments

++++-
4.1 rating from 30 votes

9 Comments »

Comments feed TrackBack URI

This can be tricky stuff when you consider dependencies. I especially don’t like what Firefox appears to be doing. I’d like to know why they aren’t using LRU.

If you can’t manage to store a bunch of grouped data in a cookie and have to split it up into different cookies, you have to make sure that all the data is still extant before launch into code that assumes all the data is there. This can bite you if you aren’t thinking clearly about it every time you use cookies.

It’s as if a random chunk of your variable space can disappear at any time. Setting up unit tests and QA for this stuff is tricky.

If you can keep all your cookie data in one 4000 character chunk, great. If you can’t, it seems to me you really want to be careful not to pass 20 cookies, just in case you run into an old browser. (Anyone know more about when IE switched from 20 to 50?)

Comment by Nosredna — May 20, 2008

He also could’ve checked wikipedia to read the same thing :)

Comment by ilazarte — May 20, 2008

You can get around the cookie limit by serializing your data, for instance in JSON format. Just be mindful of the character limit. You can write a small class to automate everything, like a cookie manager, that will make sure you don’t go over the limit.

Comment by MaratDenenberg — May 20, 2008

I recently encountered a problem where firefox would fail to make the page request if there were a large number of cookies and the GET request was beyond a certain length. Clearing the cookies fixed the issue. I will create a demo and post it on my blog later.

Comment by jclawson — May 20, 2008

Interesting research but i’ve never understood why anyone would set more than 2 cookies for a user and why you would need 4095 characters is beyond me. I realize Rails has done this insanely stupid thing where it stores session data in cookies, but that’s about as intelligent as using lighttpd and fastcgi. “Let’s send data to the sever just to store it back in the client oh and while we’re at it we’ll send it with every freaking request.” Thanks I’ll stick to storing state in memcache or a hash table.

Comment by mojave — May 20, 2008

>>Interesting research but i’ve never understood why anyone would set more than 2 cookies for a user and why you would need 4095 characters is beyond me.

Well, I have a case in a personal financial application where I do a lot of statistics. If I save the results into a cookie, the user bypasses anywhere from 10 seconds to 2 minutes of processing. The resultant data is a few kilobytes. If the cookie is cleared, no problem, but the user has to sit through the processing again.

Comment by Nosredna — May 20, 2008

Ok, more specifically… Even though you can store 4095 characters in a cookie, Apache, by default only accepts a header with a length of 8190. This includes the cookie names, equals sign, value, and all headers sent in the request (including the GET parameters).

We were running into this issue using ExtJS and the default cookie state provider. You can read more about this here: http://www.jasonclawson.com/2008/05/20/ext-21-state-managment-issues-dont-use-it/

Comment by jclawson — May 20, 2008

For anyone interested, this is the knowledge base article for the IE bump from 20 to 50 cookies per domain:
http://support.microsoft.com/kb/941495

Comment by Joeri — May 21, 2008

although opera will accept up to 30 cookies, and the max size is 4096, there is also a total-size-for-all-cookies-per-domain limit of 5000 bytes. so if you use a really large cookie, you may only be able to store one cookie:
http://my.opera.com/gorme/blog/show.dml/13293

you can also use this online test tool to test your cookie limits:
http://krijnhoetmer.nl/stuff/javascript/maximum-cookies/

if you use very large values for the cookie value, you can see that opera starts to discard many more cookies.

Comment by briandunnington — July 4, 2008

Leave a comment

You must be logged in to post a comment.