Number and size of cookies in Internet Explorer

I’ve been working on an Intranet project which has been attempting some hefty (and perhaps inadvisable) setting and retrieval of cookies via JavaScript. It’s led to some interesting discoveries, and more importantly the discovery of what seems like a bug in IE6. The project is for users with IE6 only.

Most of the documentation I’ve found (and there isn’t much) suggests that web browsers must support a minimum of:

  • 300 cookies in total
  • 20 cookies per domain
  • 4096 bytes per cookie

It seems as though this minimum requirement is part of the original RFC for cookies – see section 6.3 specifically.

I’ve been testing exclusively in IE6 (specifically, version 6.0.2900.2180.xpsp_sp2_dgr.050301-1519). I have found that the 20 cookies per domain limit is not just a minimum, but also the maximum, for IE6. If you set a 21st cookie for a given domain, then the 1st cookie is forgotten – so only the most recently-created 20 cookies are kept.

(As an aside, it’s possible to confuse what is meant by cookies with IE. IE6 keeps a separate text file, in C:\Documents and Settings\[username]\Cookies\ , for each user@domain. All cookies for a user in a given domain are stored in the text file. There isn’t a text file per cookie.)

The real problem, however, comes when you try and set cookies with a large size. The standards state that a browser must support a minimum of 4096 bytes per cookie. IE6 doesn’t do this. Instead, it seems to have a maximum size of 4096 bytes for all cookies from a domain. And, even worse, once this maximum is exceeded, you can’t read or write any further cookies for that domain. The only solution I’ve been able to find is for the user to “Delete cookies…” from Tools > Internet Options > General, and start again.

(I initially ran into a sub-problem when testing this theory. I would set four cookies, each of 1,000 bytes, all set via JavaScript, within one page. I’d then try and set a fifth of the same size, and the bug mentioned above would be triggered. However, if I then refreshed this page, I got a http 400 error from the server. No idea why. To remove this from the equation, I created 5 separate pages, each of which set a 1,000-byte cookie. This removed the http error, but still left me with the problem mentioned above once the 5th cookie was set.)

I’ve not been able to find any information about this problem elsewhere, which surprised me. I’ve also not been able to find a workaround. Perhaps everyone else stays within more sensible limits for their cookies :-) I guess that for a public web site, these limits (20 cookies per domain, 4096 bytes per cookie – allegedly) are pretty sensible. However, for an Intranet (like the one I’m working on), they become a problem. 20 cookies is a very small limit if your entire Intranet is served from one domain, and for large intranets, different development teams don’t always tell each other how many cookies they are using. (Which makes squishing values into a single cookie a good idea, rather than spreading them over a cookie each). And that 4k limit – whilst perhaps never reached in most cases, due to the 20 cookie limit – could quickly become a problem too.

Moral? Use databases for big things, and make sure your JavaScript code can cope with any one of its cookies mysteriously disappearing :-)

(Cookie testing was completed with many thanks to the excellent log4javascript.)

40 thoughts on “Number and size of cookies in Internet Explorer

  1. Type your comment here.
    I also have a problem on cookies, while trying to set more than 20 cookies but i don’t know why the last 20 variables only stored in cookie. After reading this i know the reason. it helps to me. Thanks for your information.

  2. Thanks for the write-up. I was banging my head against the wall trying to figure out why my cookies were disappearing on IE and stumbled across your article. While it’s not good news at least now I know to pursue another direction!

  3. I haven’t been able to determine whether or not the 20 cookie limitation continues with IE7. Anyone found any definitive information on this?

    Thanks,
    Andrew

  4. I have tested Firefox and it is able to save 50 cookeis per domain, but, as well as IE6, one of these cookies is the aspsessionid. So it supports 49 cookies.
    Is there any other way to save data in local PC? I am trying to save the form data (~100 fields) in the local PC before sending them to the server under a secure conection, because session looses very frequently. In this way, if session dies, the user log on secure site again and rescue the data from the local PC.

  5. Hi Andrew,

    Not had time to try it as yet – but even if the limit is 20, I’d hope they’ve fix the bogus 4k limit to be per cookie rather than for all cookies. Let me know if you find out.

  6. Hi Javier,

    As I understand it, aspsessionid is a cookie like any other, so it supports 50 cookies, not 49. You’ll only get an aspsessionid if you’re working with asp.

    As for any other way to save the form data locally – in a word, “no”. Security on this is very tight. *If* the user is willing to relax their browser security hugely, then IE does have the ability to write to the local file system using an ActiveX object (Scriptlet.Typelib, I think). But this is extremely unlikely to be allowed by users, and should be avoided at all costs.

    Generally speaking, anything that would allow you to store info locally would be a security problem, and so this is turned off by default or not possible. Cookies are the exception, and even then they have their own strict security conditions.

  7. For Internet Explorer there is a concept called UserData. This is a secure data store accesible through javascript without the need for ActiveX. It is *only* IE, though.
    eg http://www.eggheadcafe.com/articles/20010615.asp

    With Firefox, if you’re able to specify that your clients use the GreaseMonkey extension then that also provides data storage.

    If you don’t care two hoots about expiry date, domain, path, it’s better is to have a cookie object of your own which saves everything in a single document.cookie value. That eradicates the 20 cookie limit. Alternatively have one cookie-store for up to 20 sub-domains. The 4K limit remains a bummer. :-/

  8. Thanks a lot for writing this up in a blog. I have used many hours trying to figure out why my application server was loosing its session (jsessionid cookie). It seams to be the same problem in IE7!

  9. Good info here. This may explain why my javascript online catalog stops working after about 16 different products are entered into it. It just goes blank … which sucks. I need a cookieless way to track selections from page to page and have them add up on the invoice. If you have any ideas on how to do this without getting into server-side database managemnent, please send me an email!

  10. Hi there,

    The simplest way is to squish multiple values into one cookie. If you are referencing products by an unique ID, then as long as the ID is short enough, you could set a cookie to (for example) “1234^6543^2345″ for products 1234, 6543 and 2345. You can then overwrite this cookie as more products are added. This removes the need for one cookie per product, and as long as you steer clear of the 4k limit, should do what you need!

    Dave.

  11. Thanks for writing this up – you’ve saved me hours of hassle. A quick look around the web suggests that the 20-per-domain issue is also present in IE7. The IE team is, for once, obeying standards, although to our detriment! I suppose we can’t have it both ways… Also: apparently Opera has a 30 cookies limit, so is slightly higher than IE but not as generous as FF

  12. No problem! Out of interest, does anyone know if IE7 still has the 4KB per domain (rather than 4KB per cookie) bug? I’ve not upgraded yet (I still need IE6 for client testing).

  13. I know it’s difficult in many cases to implement, but the best solution i crossed with, is switch to a more seriously developed web browser(like firefox, but you don’t need to stick to it). anyway it also take of the developer’s shoulders the work of double coding, for internet explorer and for any other browser that follows more appropriately the w3 consortium recommendations(or simply, follow the w3 consortium recommendations). so if you can convince the client to switch to a serious browser, go ahead and do it. and if you think that change your applications to use another browser other than ie, believe me, you will have more headaches trying to bypass our beloved microsoft’s products bugs.

  14. Thanks for the research. I have hit this problem yet, but I have a project that may hit the cookies heavily – knowing this I can save myself some white hair.

  15. Thank you very much for the article. I ran into the same problem with my php app “forgetting” the session cookie if too many other cookies were created. Nasty stuff. So, thank you very much again!

    PS: The limit also applies for IE7.

  16. Regarding the “maximum size of 4096 bytes for all cookies from a domain”. Do cookies with fully specified hosts also count towards the limit? In other words can I set 4K worth of cookies for abc.com and 4K more for xyz.abc.com or only 4K total across both?

  17. I just noticed this 4096 limit on total domain. But the Cookies files on disk are having complete data, even after 4096 bytes. But browser is not sending the complete data with the requests.

    Thanks a lot for this article.

    Are you aware of any session cookie issue with IE 7. IE 7 is clearing session cookies in between for my application.

    Thanks and Regards,
    Omprakash

  18. Hey Dave,

    Thank you so much!!! I also spent long hours trying to understand what is wrong with IE and the cookies there.

    Thanks again for writing this article,
    Raya

  19. Pingback: the scent » Solving IE Cookies disappearing issue with Mootools and Hash.Cookies

  20. Other people (including yours truly) *have* found it very useful. Thanks for sharing all this and kicking off the discussion.

    Also want to add that some browser cookies (I’ve only seen in Firefox) turn period “.” chars into underscores. I’ve got several addons (firebug, yslow, jajah, etc) installed, so there’s a possibility one of them may be responsible.

  21. Yes, above 4K total all the cookies “disappear” from view.

    But if you remove one of the offending cookies, and thereby drop the total back below the limit, all the other cookies will magically appear again.

  22. Pingback: apache->VHOST - php session problem - immer neue session id - Forum Fachinformatiker.de

  23. Pingback: Streaming objects into a cookie « Brian Pedersen’s Sitecore and .NET Blog

  24. For something like a shopping cart, you could send cart info (products in cart) in the url using javascript to add to the query string when going to the next page, then parse the items out of the query string when you get to the next page — something like next_page.html?cart=1244,3366,1324,2314,4321

  25. I had that same problem, at least somebody has written about it.

    I found out it seems to happen in IE 8 browser aswell, doesnt seem to let me add more data than about 500 characters.

  26. From my own testing, IE 8 seems to have increased the limit to around 10k per domain. The cookie data is all there but it won’t let you read it, except using the debugger. You can keep writing it however. For example, write a ‘.’ to replace a large cookie and see your other ones magically reappear.

  27. If you really need local storage at the client side, to save traffic or server CPU, you might run your site in a single frame website. The frameset (the ‘outer’ page) holds the data, while the frame (the ‘inner’ page) provides the view. Any information you need to resuse can be retrieved from the frameset, even before the onload event! Works in any browser.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>