Saturday, August 8, 2009

Real world cookie length limits

Daniel Stenberg recently posted some interesting test code and browser results to http-state@ietf.org describing the maximum amount of data that can be stored in a cookie:

****

... I just went ahead and wrote a CGI script that redirects to itself and grows a
cookie and stores its length in a URL field like "cookie.cgi?len=200" until
the length in the URL and the actual cookie length no longer matches.

Here's a few results from various browsers:

Firefox 3.0.12: 4000
Firefox 3.5: 4000
curl 7.19.5: 4999
IE 8: 5000
Opera 10.00 beta: 4000
Android 1.5 browser: 4000
Chrome 3.0.195.6: 4000
Wget 1.11.4: 7000[*]
mobile safari (iphone): 8000
lynx 2.8.7dev.9: 4000

I think we can safely say that most browsers support at least 4000 characters
cookie contents.

[*] = this reports "500 Internal Server Error" on 8000, which I don't
understand why but haven't bothered much more about.

The test is live here: http://daniel.haxx.se/test/longcookie.cgi Feel free to
use it if you want to try out other browsers, without torturing it of course!

And the perl script that runs it looks like this:

require "CGI.pm";

$len = CGI::param('len');
$c = CGI::cookie('data');

print "Content-Type: text/html\n";

if($len == length($c)) {
$c .= "A" x 1000;
$len += 1000;
print "Set-Cookie: data=$c\n";

print "Location: longcookie.cgi?len=$len\n";
print "\nmoo\n";
}
else {
printf "\nMax cookie length: %d\n", length($c);
}

6 comments:

Patrik Wallström said...

Maybe it would also be interesting to test this for the different HTTP-proxies out there as well.

Anonymous said...

Just the information I was seeking.

Anonymous said...

Some older IE versions would make this even better (although they probably also exceed the 4000 chars).

Thanks for posting :-)

Unknown said...

That's excellent. Trying to figure out something cool for logging page views.

Unknown said...

Thank you

Jim Manico said...

These limits have changed a lot over the past many years. Re-verify!