-2

I got a PHP (5.6) application. I benchmark the browser and try to log $_COOKIE variable. (or take refresh info.php to get the cookies from PHP Variables)

Since the 4KB of one cookie element is the browser/PHP limit, I use 2048* letter A as a value of the test cookie.

  1. when I insert test1 = aaaaaaa....aaaaaa (2048 times of 'a')
  • The $_COOKIE can be correctly logged.
  1. when I insert more test cookies, 'test2','test3', ... which same value to test1
  • The $_COOKIE can be correctly logged.

_COOKIE var

  1. when I insert the 6th one, 'test6'
  • The $_COOKIE becomes empty [] and info.php start to not show _COOKIE variable.

_COOKIE var disappeared

So the total size limit of cookies is limited to 12KB-13KB, how can I remove or increase this limit? I tried difference configuration and it has different limit. I also set up a Docker PHP, it seems no limit at all. By comparing the info.php, I cannot see any difference.

Since I know modern browser can have 500-600 different cookies with 4KB of each as a limit. But 3 full size cookie for PHP is just too small.

I am not sure which plugin, or setting is blocking set up the cookie.

Vincent
  • 1,178
  • 1
  • 12
  • 25

2 Answers2

0

This is probably related to webserver limitation - AFAIK every webserver has a header size limit (cookies are sent in header) and such large amount of data in cookies definitely will hit that limit. You didn't specified what webserver you're using, but at least for Apache you can adjust that using LimitRequestFieldSize directive.

But this could be anything on higher level. Such large header usually indicates some malicious activities (or at least malfunction) and may be by default blocked on WAF or load balancer level.

rob006
  • 21,383
  • 5
  • 53
  • 74
  • I set up a ELB and put CloudFormation behind it, the website hosted by nginx and I have increased the nginx limitation to ultimate; So according your finding and my assumption is the Header is not passed to PHP engine from client which lead to the _COOKIE empty; Thanks, that is probably correct. I will validate your finding. Since now I did not see any error logged on the server nor webpage; I need to find another way to find the bootleneck – Vincent Jan 30 '21 at 21:36
-1

has nothing to do with php, the fact that you used all 4k to the value of the cookie is bad

taken from cookie rfc6265

Practical user agent implementations have limits on the number and
size of cookies that they can store. General-use user agents SHOULD
provide each of the following minimum capabilities:

o At least 4096 bytes per cookie (as measured by the sum of the length of the cookie's name, value, and attributes).

o At least 50 cookies per domain.

o At least 3000 cookies total.

Servers SHOULD use as few and as small cookies as possible to avoid reaching these implementation limits and to minimize network
bandwidth due to the Cookie header being included in every request.

Servers SHOULD gracefully degrade if the user agent fails to return one or more cookies in the Cookie header because the user agent might evict any cookie at any time on orders from the user.

speaking of which, you should consider looking at every browsers specs because I believe they have their own limitations

Community
  • 1
  • 1
Tch
  • 1,055
  • 5
  • 11
  • I am not seeking a best practice here. There is always limitations in real scenarios blocking us to a best practice. Also the description said it is same browser, same php build but different benchmarks. Your reference also said the 4KB is a [minimum] requirement, which saying you should be nothing bad to use larger cookie in modern environment. – Vincent Jan 30 '21 at 01:36
  • 2
    you said you needed an advice as to what be happening, so I advised you referring to the rfc that the size of the cookie should be 4k including the key the value, the expiration date, the path, plus other attributes. and that the fact that you used 4k just for the value you definitely end up with weird problems like yours. I cant see why you down voted the post. – Tch Jan 30 '21 at 08:53
  • Sorry, I will change the description, since I retest my case with 2KB and the PHP seems break at a total header size comes to 12-13KB (5~6 * 2KB cookie), which is same when it is obtained with full size. – Vincent Jan 30 '21 at 11:08
  • The issue stays the same, it should not be relevent to the RFC mentioned limitation. Since I also mentioned in my another Docker PHP, I can insert as many cookie as I want with same browser and same PHP version. – Vincent Jan 30 '21 at 11:14