Cookie (Max) Size and Number Limit

Some commonly asked questions are:

  • What is the max size of an HTTP cookie? Or how much data can I store inside a cookie?
  • How many cookies can I set or store in a browser? What is the maximum number?

To understand these limits, let’s first look at what the official specification, i.e., RFC 6265 has to say. According to it, a browser must provide a minimum of the following:

  • Browsers (or user agents) must allow at least 4 KiB of storage per cookie across its name, value, attributes and their values (if applicable).
  • Browsers must allow setting or storing at least 50 cookies per domain.
  • Browsers must allow at least 3000 cookies in total (across domains).

We know the minimum limits now. As far as maximum limits are concerned, it doesn’t really matter because each browser has its own threshold/implementation. We should aim to stick to the minimum limits only in our web applications.

If you’re still curious though, then I have set up a demo that you can open in your browser of choice to check the max cookie size limit and max number/quantity of cookies you can set per domain.

Also per “domain” refers to the Domain value of the cookies (which is the current host if not specified).

If you exceed the above limits, different browsers/user agents may react differently. Some may simply not save the cookies, some may throw an exception, some may start dropping/evicting non-secure or session cookies, some may simply delete cookies set prior which means a logged in user (identified by cookies) may get logged out, and so on and so forth. Again it doesn’t matter what happens when one of the thresholds is breached, try to stay within the minimum limits. According to the RFC:

Servers SHOULD gracefully degrade if the user agent fails to return one or more cookies in the Cookie header because the user agent might evict any cookie at any time on orders from the user.

In fact, another very good reason to stay way below the minimum limits is performance. All cookies are sent in every HTTP request for the eligible host/domain which can dramatically affect the time taken for the request payload to reach the servers, increasing the perceived response time too. As the RFC suggests:

Servers SHOULD use as few and as small cookies as possible to avoid reaching these implementation limits and to minimize network bandwidth due to the Cookie header being included in every request.

Leave a Reply

Your email address will not be published. Required fields are marked *