Skip to Content

NCZOnline

Blog Entry

Browser cookie restrictions

I've been doing some research into cookies for my upcoming book and came across some interesting facts about the way browsers handle cookies. I started out by looking at the number of cookies that browsers allowed per domain. The results were interesting:

  • Microsoft indicated that Internet Explorer 8 increased the cookie limit per domain to 50 cookies but I've found that IE7 also allows 50 cookies per domain. Granted, this may have been increased with a system patch rather than having the browser's first version ship like this, but it's still more than the 20 that was commonly understood to be the limit.
  • Firefox has a per-domain cookie limit of 50 cookies.
  • Opera has a per-domain cookie limit of 30 cookies.
  • Safari/WebKit is the most interesting of all as it appears to have no perceivable limit through Safari 3.1. I tested setting up to 10,000 cookies and all of them were set and sent along in the Cookie header. The problem is that the header size exceeded the limit that the server could process, so an error occurred.

So the prevailing knowledge that browsers limit per-domain cookies to 20 is no longer valid. Another interesting inconsistency is how browsers react when too many cookies are set. With the exception of Safari, which sets all cookies regardless of the number, there are two approaches:

  1. The least recently used (LRU) approach automatically kicks out the oldest cookie when the cookie limit has been reached in order to allow the newest cookie some space. Internet Explorer and Opera use this approach.
  2. Firefox does something strange: it seems to randomly decide which cookies to keep although the last cookie set is always kept. There doesn't seem to be any scheme it's following at all. The takeaway? Don't go above the cookie limit in Firefox.

The total size of cookies also varies from browser to browser. This is another one that is a little hard to comprehend, but here's what my tests show:

  • Firefox and Safari allow cookies with up to 4097 characters, that's 4096 for the name and value and one for the equals sign.
  • Opera allows cookies with up to 4096 characters, which is for the name, value, and equals sign.
  • Internet Explorer allows cookies with up to 4095 characters, which is for the name, value and, equals sign.

It's worth noting that single-byte characters were used for these tests; multi-byte characters will, naturally, count as two. In all browsers, any cookie that is set with a size greater than the limit is ignored and never set.

My conclusion after doing all of these tests is that the traditional beliefs of cookie limitations (mostly taken from the original cookie specification) are no longer valid. We should use caution when using cookies and always take the lowest limit as the one to look out for.

  • May 17, 2008 03:05 PM

Comments

Alexei says:

Nicholas,

One question. When you are talking about characters' limit (4096 for example), do you mean characters or bytes? Have you tried non-ASCII Unicode characters? I mean otherwise we should say 4096 bytes, not characters.

Also, have you seen this post? http://blogs.msdn.com/ie/archive/2007/08/29/update-to-internet-explorer-s-cookie-jar.aspx

It proves that the increase in number of cookies per domain occurred before IE8.

Nicholas C. Zakas says:

@Alexei - Technically, the limit is specified in bytes, but practically everyone thinks of them as characters. This is why I mentioned that double-byte characters count as two. :)

Thanks for the link, I hadn't noticed that. Glad to know I'm not going crazy (just yet).

Alexei says:

Nicholas,

Sorry, somehow I missed the paragraph where you answered my question :). My fault.

Post Comment

Your e-mail address will never be shown, only your URL. Please, no HTML in your comments, as it will be automatically stripped out for security purposes.

(required)
(required, not shown)


Please answer the following silly question to confirm that you are a person and not an evil spam robot:


Copyright © 2004-2005 Nicholas C. Zakas. All Rights Reserved. XHTML | CSS