I just finished Eric Lawrence’s post on Internet Explorer Cookie Internals. Eric works on the IE team as well as owning Fiddler. Everything he writes is worth reading. In this article he answers FAQs about how IE handles cookies, for example:
- If I don’t specify a leading dot when setting the DOMAIN attribute, IE doesn’t care?
- If I don’t specify a DOMAIN attribute when [setting] a cookie, IE sends it to all nested subdomains anyway?
- How many cookies will Internet Explorer maintain for each site?
Another cookie issue is the effect extremely large cookies have on your web server. For example, Apache will fail if it receives a cookie header that exceeds 8190 bytes (as set by the LimitRequestLine directive). 8K seems huge! But remember, all the cookies for a particular web page are sent in one Cookie: header. So 8K is a hard limit for the total size of cookies. I wrote a test page that demonstrates the problem.
Keep your cookies small – it’s good for performance as well as uptime.
Nicholas C. Zakas | 21-Aug-09 at 8:52 pm | Permalink
That limit is important because some browsers (Chrome and Safari) don’t limit the total size of cookies they will send, so you can set cookies to larger than 8 kb and actually cause a server error as a result.
David King | 22-Aug-09 at 7:52 am | Permalink
Nice article! Not a problem I’ve ver encountered, but it’s all about prevention over cure ey!
Patrick Meenan | 22-Aug-09 at 6:00 pm | Permalink
One REALLY easy way to blow out those cookie lengths is to encode the current url into a cookie. We have seen it with some user tracking services for tracking the path through a site.
Combine that with freakishly long urls (a problem in and of itself) and you get random pages causing browsing problems downstream because they blow the 8k limit.
RK | 23-Aug-09 at 9:09 pm | Permalink
I checked Google’s Browser Security Handbook recently & I’m glad it is updated for IE 8. As per that document, the maximum number of cookies per site in FF2, Safari & Opera are infinite and it is 100 for FF3 – http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies