14

From the django docs:

Both RFC 2109 and RFC 6265 state that user agents should support cookies of at least 4096 bytes. For many browsers this is also the maximum size.

Source: https://docs.djangoproject.com/en/2.1/ref/request-response/

Is this still valid today?

What is the maximum cookie size of current browsers?

guettli
  • 25,042
  • 81
  • 346
  • 663

3 Answers3

16

The cookie spec definition in RFC6265 (April 2011) is the current RFC (No new draft and no new RFC) and is supported by all major browsers (IE,Chrome,Opera,Firefox) today.

  • At least 4096 bytes for the entire cookie (as measured by the sum of all of the cookie names, values, and attributes).

  • At least 50 cookies per domain, provided they don't go over the above limit.

  • At least 3000 cookies total.

So all modern browsers support AT LEAST this. Any other limit values are a gamble

See 6.1. Limits in https://datatracker.ietf.org/doc/rfc6265/ for more details

Andy Ray
  • 30,372
  • 14
  • 101
  • 138
Mumrah81
  • 2,034
  • 2
  • 16
  • 23
  • 3
    I note this does **not** mean that browsers support `50 cookies * 4096 bytes == 204,800 bytes == 204KiB per domain`. I find that Safari and Chrome start to reject cookies if the total data for a domain exceeds something between 5-8KB. – Dai Feb 06 '19 at 23:48
  • 1
    Hi @Dai, i don't know for Safari but the size limit in Chrome is indeed 204,800 bytes per domain. From my tests the size is calculated summing the lengths of hostname + cookiepath + cookiename + unencrypted cookie value. Test done on Chrome 71.0.3578.98. How did you find a limit of 5-8Kb? – Mumrah81 Feb 11 '19 at 13:26
  • I get warnings in my Chrome developer console when the total size of all `Set-Cookie` headers in a response exceeds 4096 characters. So I guess, it's true that Chrome can store over 4096 characters, but they can't all be set in a single response? – Dai Feb 11 '19 at 14:15
  • 2
    After some more testing, it appears you're right. If providing more than one Set-Cookie headers then the limit of 4096 bytes is applied on the concatenated value of all Set-Cookie headers. You can still create more than one cookie provided the creation is done in only one header. With multiple Set-Cookie headers it seems only the last one works. The only way to reach the 204KB per domain limit is to create the cookies using javascript. Another strange point is cookies created using the Set-Cookie headers aren't inserted in the Chrome's sqllite database but still sent in the next request – Mumrah81 Feb 11 '19 at 19:14
  • @Mumrah81 given how upvoted this answer is, I chose to update the wording, which is dangerous, to reflect what Dai pointed out. This is a better question+answer: https://stackoverflow.com/questions/640938/what-is-the-maximum-size-of-a-web-browsers-cookies-key – Andy Ray Mar 10 '22 at 21:09
4

You can test it out by setting and reading back a cookie size from JavaScript in an iteration if you are interested in modern browsers only.

That is what I was doing in the past. And this is exactly what this site is about, it also includes the limits by browsers.

But keep in mind that the matching cookies will travel with every HTTP requests so they could dramatically affect the perceived response time.

KARASZI István
  • 30,900
  • 8
  • 101
  • 128
0

here is the detail which you can refer - http://browsercookielimits.iain.guru/

Typically, the following are allowed: 300 cookies in total 4096 bytes per cookie 20 cookies per domain 81920 bytes per domain*

  • Given 20 cookies of max size 4096 = 81920 bytes.
Iain
  • 10,814
  • 3
  • 36
  • 31
Ritesh Srivastava
  • 174
  • 8