0
While I was reading HTTP RFC information (everyone reads this stuff right?), I came across a section labeled ‘Implementation Limits’. Like most poeple, I don’t think there there is such a thing as too many cookies (assuming you have a glass of milk), but apparently browsers feel differently. According to the RFC documentation on the Set-Cookie header, there is a minimum amount that a browser should set the maximum amount to be. That’s a bit confusing, so I’ll state it differently, according to the documentation, a browser should accept at least 300 cookies total (for all visited sites), at least 20 cookies per hostname, with 4096 bytes of space per cookie.
After googling a bit, I couldnt find any reliable documentation that specified limits on today’s popular browsers, such as Internet Explorer, Firefox, Chrome, or Safari. So I wrote a php script to test out a few things. I had two main goals in mind with this, find the maximum number of cookies for various browsers (if there is one), and find out what happens when that limit is exceeded. This isnt meant to be a comprehensive list, but just interesting results that I’ve found. This was all done on windows.
| Browser | Per HostName Limit | What Happens When Exceeded |
| FireFox | 50 | Only the most recent 50 cookies are sent with requests |
| Chrome | ~150 | Once the the number of cookies gets close to 150, Chromes behavior is inconsistent. It seems to send an inconsistent set of cookies during requests, generally around 150. |
| IE 8 | 50 | Only the most recent 50 cookies are sent |
| Safari (Windows) | 297 | Only the most recent 297 cookies are sent |
Obviously, this test does not cover all browsers or operating systems, but does show you that there are real limits, that you should be aware of, if you’re relying heavily on a cookies. This test does not test javascript’s ability to access the cookies, since the browser receives the Set-Cookie headers, the cookies could still be accessible via javascript, or plugins/extensions on your browser. This test also does not look at a total cookie maximum, only per hostname restrictions.
What does this mean for you?
Hopefully nothing. Hopefully, your pages are not sending more than 50 cookies from a single host name, however, it can happen. For example, when using sessions in PHP, there will be a PHPSESSIONID cookie, when using Google Analytics, you get at least 4 cookies ‘utmz’, ‘utma’, ‘utmb’, and ‘utmc’, without any code you may have written, thats 10% of Firefox and IE available amount of cookies. Using CMS systems, blogs, or ecommerce systems will likely have their own cookies as well, but since the limitation is per hostname, keeping seperate system on seperate hostnames, like blog.mydomain.com or crm.mydomain.com, can help you avoid this problem. If you are sending more than 50 cookies, you may be getting unreliable results. You can use Fiddler, an HTTP debugging proxy to view the Set-Cookie headers being sent from your pages, as well as your Cookie headers your browser is sending to servers during your requests.
