Comments on: The skinny on cookies

By: RK

RK — Mon, 24 Aug 2009 05:09:26 +0000

I checked Google’s Browser Security Handbook recently & I’m glad it is updated for IE 8. As per that document, the maximum number of cookies per site in FF2, Safari & Opera are infinite and it is 100 for FF3 – http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies

By: Patrick Meenan

Patrick Meenan — Sun, 23 Aug 2009 02:00:11 +0000

One REALLY easy way to blow out those cookie lengths is to encode the current url into a cookie. We have seen it with some user tracking services for tracking the path through a site.

Combine that with freakishly long urls (a problem in and of itself) and you get random pages causing browsing problems downstream because they blow the 8k limit.

By: David King

David King — Sat, 22 Aug 2009 15:52:04 +0000

Nice article! Not a problem I’ve ver encountered, but it’s all about prevention over cure ey!

By: Nicholas C. Zakas

Nicholas C. Zakas — Sat, 22 Aug 2009 04:52:26 +0000

That limit is important because some browsers (Chrome and Safari) don’t limit the total size of cookies they will send, so you can set cookies to larger than 8 kb and actually cause a server error as a result.