Thursday, November 24, 2016

Cookie limits - the server side story

If you search the net for 'cookie limits', you'll find this site (or variations of it) that list browser-side limits for cookies for a couple of browsers.
RFC2965 will tell you a browser should support at least 20 cookies of size 4096 bytes per cookie, but browsers usually support higher limits. E.g. Chrome supports 180 cookies of size 4096 bytes, per domain, with no limits for the total size of all cookies. That makes 720Kb of data that is allowed by Chrome in each request.

In reality, even if you insist of sending that crazy big amount of data with every http request, you'll discover it's impossible to use that many cookies. Depending on the server accessed, you may be able to use only max 3 cookies of size 4096 bytes! Why? Because there is another side of the story - the servers you are accessing will also limit your use of cookies sizes.

Those limits depends from http server to server, and the server response if you make larger requests varies, too. Here are some examples:
  • - throws SocketException / ConnectionForcefullyClosedByRemoteServer after ~16k max cookies
  • - Starts returning "400 Bad Request – Request Too Long. HTTP Error 400. The size of the request headers is too long" after max ~15k cookies - Starts returning 413 Request Entity Too Large after ~15k cookies
  • - Starts returning 400 Bad Request after ~7.5k
  • - Accepts requests up to ~65k, after that returns 400 Bad Request 
  • - Accepts about ~80k after that starts returning 400, 502 or  throws WebException/MessageLengthLimitExceeded (seems dependent on the number of cookies, too)
Per, IIS Server defines two configuration settings, MaxFieldLength and MaxRequestBytes that limits the size of the http request headers that are accepted. This includes things like the RequestUrl being accessed, the User-Agent string, AAD authentication tokens, etc, thus limiting the size of Cookies stored in headers, too. For IIS, that limit is 16Kb by default, and can be configured. Probably Apache has similar limits, and website owners may have adjusted the limits.  

If you're writing a web application and use cookies pushing the limits, it's important to know what your server will tolerate on incoming requests.

I wrote an app one can use to test and get an idea of the server limits. You can download it from and invoke it with the http:// Uri of the server to test for parameter. The app makes requests to the server with cookies of various decreasing sizes, trying to narrow down the accepted max cookies size. The output looks like in the picture below.

No comments: