0

I know I shouldn't be storing so many cookies in my users' browsers. And I'm working on reducing the number. But still I want to know the answer to this. The browser is sending 120 cookies. I can see all of them when I view the request using dev tools. But in PHP when I examine the $_COOKIE variable, there are only 100. To make matters worse, one of the cookies that isn't getting through is the PHPSESSID, and so sessions aren't working at all.

Every Google result tells me that cookie limits are enforced by browsers, not by servers. And like I said, the browser is sending all the cookies. It's the server that's messing things up. The same thing is happening in Chrome, Firefox and IE: if I send >100 cookies, the size of $_COOKIE is exactly 100.

These are not big cookies, either - each one is 6 characters, so it's a total of 600 bytes of cookie content that's making it through to PHP.

I have tried varying the names of the cookies, and the number of cookies, and no matter what I do, the number of cookies in $_COOKIE is 100.

Dan B.
  • 1,451
  • 2
  • 14
  • 23
  • Sorry, I misread your question a little. – ceejayoz Apr 17 '18 at 20:40
  • 1
    Have you checked what `max_input_vars` is set to? Default would be 1000, but you never know ... – CBroe Apr 17 '18 at 20:43
  • 1
    Also look at `LimitRequestFieldSize` config – Patrick Moore Apr 17 '18 at 20:45
  • @CBroe max_input_vars is set to 1000. – Dan B. Apr 17 '18 at 20:51
  • `max_input_vars` will definitely cause this issue. Check the output of `phpinfo()` (in a browser, not command line) to verify that it's actually reading the `php.ini` file that you think it's reading and actually setting the value that you think it's setting. – Alex Howansky Apr 17 '18 at 20:55
  • its more likely a browser limit than a php one –  Apr 17 '18 at 21:37
  • @smith OP seems to have competently ruled that out (they mention inspecting the request in the dev tools). – ceejayoz Apr 17 '18 at 22:14
  • @ceejayoz i tested with http://browsercookielimits.squawky.net/, IE 50 chrome 150 –  Apr 17 '18 at 22:22
  • @smith Yes, and OP's using Chrome, so their 120 should be well within its limit of 150. – ceejayoz Apr 17 '18 at 22:23
  • great for the op, but for his users, the IE ones for example? –  Apr 17 '18 at 22:25
  • 1
    @smith OP appears entirely aware that 120 cookies is excessive. Maybe the site has a "use a supported browser; no IE" message on it. I still find the "why is the webserver only seeing 100 if Chrome's sending 120" an interesting question. – ceejayoz Apr 17 '18 at 23:50
  • @AlexHowansky Good idea, but I tried phpinfo() in a browser and max_input_vars is 1000. – Dan B. Apr 18 '18 at 02:14

1 Answers1

0

I wouldn't go over 50 cookies for each domain if you want to support all browsers.

If you want to support most browsers, then don't exceed 50 cookies per domain, and don't exceed 4093 bytes per domain!

Max Cookie Count Per Domain is calculated by adding cookies until the number of cookies saved stops increasing.

Max Cookie Size Per Cookie is calculated by increasing the cookies value one character at a time, until the saved value is truncated.

Max Cookie Size Per Domain is guessed by adding cookies of maximum size, until no more cookies can be added. Hence, the actual limit may be more than the guessed limit. Guessed Limit <= Actual Limit < Guessed Limit + Max CookieSize.

Typically, the following are allowed:

  • 300 cookies in total.

  • 4096 bytes per cookie.

  • 20 cookies per domain.

  • 81920 bytes per domain*.

  • Given 20 cookies of max size 4096 = 81920 bytes.

IE (and Opera) introduces a new limit, max bytes per domain.

Source: http://browsercookielimits.iain.guru/

Iain
  • 10,814
  • 3
  • 36
  • 31