Maximum Cookie Size of current browsers (Year 2018)

http cross-browser rfc
15,111

Solution 1

The cookie spec definition in RFC6265 (April 2011) is the current RFC (No new draft and no new RFC) and is supported by all major browsers (IE,Chrome,Opera,Firefox) today.

  • At least 4096 bytes per cookie (as measured by the sum of the length of the cookie's name, value, and attributes).

  • At least 50 cookies per domain.

  • At least 3000 cookies total.

So all modern browsers support AT LEAST this. Any other limit values are a gamble

See 6.1. Limits in https://datatracker.ietf.org/doc/rfc6265/ for more details

Solution 2

You can test it out by setting and reading back a cookie size from JavaScript in an iteration if you are interested in modern browsers only.

That is what I was doing in the past. And this is exactly what this site is about, it also includes the limits by browsers.

But keep in mind that the matching cookies will travel with every HTTP requests so they could dramatically affect the perceived response time.

Share:
15,111
guettli
Author by

guettli

http://thomas-guettler.de/ Working out loud: https://github.com/guettli/wol

Updated on June 03, 2022

Comments

  • guettli
    guettli about 2 years

    From the django docs:

    Both RFC 2109 and RFC 6265 state that user agents should support cookies of at least 4096 bytes. For many browsers this is also the maximum size.

    Source: https://docs.djangoproject.com/en/2.1/ref/request-response/

    Is this still valid today?

    What is the maximum cookie size of current browsers?

  • Dai
    Dai over 5 years
    I note this does not mean that browsers support 50 cookies * 4096 bytes == 204,800 bytes == 204KiB per domain. I find that Safari and Chrome start to reject cookies if the total data for a domain exceeds something between 5-8KB.
  • Mumrah81
    Mumrah81 over 5 years
    Hi @Dai, i don't know for Safari but the size limit in Chrome is indeed 204,800 bytes per domain. From my tests the size is calculated summing the lengths of hostname + cookiepath + cookiename + unencrypted cookie value. Test done on Chrome 71.0.3578.98. How did you find a limit of 5-8Kb?
  • Dai
    Dai over 5 years
    I get warnings in my Chrome developer console when the total size of all Set-Cookie headers in a response exceeds 4096 characters. So I guess, it's true that Chrome can store over 4096 characters, but they can't all be set in a single response?
  • Mumrah81
    Mumrah81 over 5 years
    After some more testing, it appears you're right. If providing more than one Set-Cookie headers then the limit of 4096 bytes is applied on the concatenated value of all Set-Cookie headers. You can still create more than one cookie provided the creation is done in only one header. With multiple Set-Cookie headers it seems only the last one works. The only way to reach the 204KB per domain limit is to create the cookies using javascript. Another strange point is cookies created using the Set-Cookie headers aren't inserted in the Chrome's sqllite database but still sent in the next request
  • Andy Ray
    Andy Ray over 2 years
    @Mumrah81 given how upvoted this answer is, I chose to update the wording, which is dangerous, to reflect what Dai pointed out. This is a better question+answer: stackoverflow.com/questions/640938/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

XMLHttpRequest to read an external file
What's the maximum URL length in Tomcat?
In HTTP specification, what is the string that separates cookies?
Is Content-Type HTTP header always required?
Why is form enctype=multipart/form-data required when uploading a file?
The date/time format used in HTTP headers
Why do HTTP servers forbid underscores in HTTP header names
What requests do browsers' "F5" and "Ctrl + F5" refreshes generate?
How do we control web page caching, across all browsers?
Are the PUT, DELETE, HEAD, etc methods available in most web browsers?