342

What is the maximum size of a web browser's cookie's key?

I know the maximum size of a cookie is 4KB, but does the key have a limitation as well?

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
user77480
  • 3,421
  • 2
  • 17
  • 3
  • 2
    Also be noticed that: Web servers (nginx, IIS, apache, ...) both have limit to line length of HTTP header. They are typically limited to 4KB or 8KB. So even browser support larger cookies headers, they may probably not work without special configuration on these servers. – tsh Mar 23 '21 at 07:32

5 Answers5

403

The 4K limit you read about is for the entire cookie, including name, value, expiry date etc. If you want to support most browsers, I suggest keeping the name under 4000 bytes, and the overall cookie size under 4093 bytes.

One thing to be careful of: if the name is too big you cannot delete the cookie (at least in JavaScript). A cookie is deleted by updating it and setting it to expire. If the name is too big, say 4090 bytes, I found that I could not set an expiry date. I only looked into this out of interest, not that I plan to have a name that big.

To read more about it, here are the "Browser Cookie Limits" for common browsers.

While on the subject, if you want to support most browsers, then do not exceed 50 cookies per domain, and 4093 bytes per domain. That is, the size of all cookies should not exceed 4093 bytes.

This means you can have 1 cookie of 4093 bytes, or 2 cookies of 2045 bytes, etc.

I used to say 4095 bytes due to IE7, however now Mobile Safari comes in with 4096 bytes with a 3 byte overhead per cookie, so 4093 bytes max.

Iain
  • 10,814
  • 3
  • 36
  • 31
  • 18
    the 4K limit refers to all cookies under a specific domain - thus when this limit is reached, you will likely be unable to create a new cookie. – ulkas Jan 04 '13 at 13:46
  • 6
    @ulkas: I have added that in now. Once the limit is reached I have observed in many browsers you can create new cookies, but it will delete a bunch of the existing ones. – Iain Mar 08 '13 at 07:42
  • 1
    Note: RFC 2965 has been obsoleted and replaced by RFC 6265. The limits section is largely unchanged (see: https://tools.ietf.org/html/rfc6265#section-6.1), but RFC 6265 is now the canonical source. – Jim OHalloran Jan 20 '18 at 04:53
  • To support most browsers, cookies should not exceed 50 per domain, and total cookie size (across all cookies) should be less than or equal to 4093 bytes. https://docs.devexpress.com/AspNet/11912/common-concepts/cookies-support/cookie-limitations – Ankit Jan 20 '21 at 14:32
119

Actually, RFC 2965, the document that defines how cookies work, specifies that there should be no maximum length of a cookie's key or value size, and encourages implementations to support arbitrarily large cookies. Each browser's implementation maximum will necessarily be different, so consult individual browser documentation.

See section 5.3, "Implementation Limits", in the RFC.

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
John Feminella
  • 303,634
  • 46
  • 339
  • 357
  • 22
    As usual, "spec" and "real-world" seem to be completely different. Because cookies are sent with EVERY http request, it is actually a good thing there are limits. – BenSwayne Mar 20 '13 at 19:04
  • 4
    That's a pretty useless spec if in actuality there are limits! This is the "correct' answer, though! – lmat - Reinstate Monica Mar 07 '15 at 08:55
  • 3
    I don't understand why browsers choose not to follow this spec. There is no reason why I shouldn't be able to dump more than 4KB (which is not that much) into a cookie, when stuff like localStorage already exists. – William Sep 03 '15 at 18:00
  • 4
    Note: RFC 2965 has been obsoleted and replaced by RFC 6265. The limits section is largely unchanged (see: https://tools.ietf.org/html/rfc6265#section-6.1), but RFC 6265 is now the canonical source. – Jim OHalloran Jan 20 '18 at 04:53
48

Not completely entirely a direct answer to the original question, but relevant for the curious quickly trying to visually understand their cookie information storage planning without implementing a complex limiter algorithm, this string is 4096 ASCII character bytes:

"abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmn"

stackuser83
  • 2,012
  • 1
  • 24
  • 41
  • 4
    As I was about to learn how many characters can 4KB store, this answer shows up and made my day! And here's [another answer](https://stackoverflow.com/a/4100347/16648127) relavent to this question. – Enfield Li Jun 17 '22 at 04:09
40

You can also use web storage too if the app specs allows you that (it has support for IE8+).

It has 5M (most browsers) or 10M (IE) of memory at its disposal.

"Web Storage (Second Edition)" is the API and "HTML5 Local Storage" is a quick start.

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
Michael
  • 4,786
  • 11
  • 45
  • 68
  • 4
    It should probably be noted here that a caveat for using web storage is that, without a workaround, data stored in web storage can only be stored on/accessed from HTTP OR HTTPS, but not shared between them (even for the same site). – ilasno Jan 04 '14 at 22:44
  • 2
    @ilasno Afaik the same limitation exists for traditional cookies. – Steve Midgley Dec 31 '14 at 06:52
  • 2
    The most important caveat is rather than web storage, session storage and local storage are only accessible from the browser, not the server. That's definitely something to consider when choosing between any of those and cookies, which are readable on both browser and server. – Vadorequest Jan 29 '20 at 10:36
  • LocalStorage doesn't work properly on iOS, see https://stackoverflow.com/a/68087149/3108846 – Hugo Jerez Jul 27 '22 at 16:52
17

A cookie key(used to identify a session) and a cookie are the same thing being used in different ways. So the limit would be the same. According to Microsoft its 4096 bytes.

MSDN

cookies are usually limited to 4096 bytes and you can't store more than 20 cookies per site. By using a single cookie with subkeys, you use fewer of those 20 cookies that your site is allotted. In addition, a single cookie takes up about 50 characters for overhead (expiration information, and so on), plus the length of the value that you store in it, all of which counts toward the 4096-byte limit. If you store five subkeys instead of five separate cookies, you save the overhead of the separate cookies and can save around 200 bytes.

cgreeno
  • 31,943
  • 7
  • 66
  • 87
  • 8
    Incidentally, just because you have about 4KB of browser cookie storage to play with you ought to seriously consider whether that's a good idea or not. – NotMe Mar 13 '09 at 01:32
  • Can you confirm if per domain/site the number of cookie can't exceed more than 20? or its increased by now? – Mutant Sep 11 '13 at 21:58