Most of the documentation I’ve found (and there isn’t much) suggests that web browsers must support a minimum of:
- 300 cookies in total
- 20 cookies per domain
- 4096 bytes per cookie
It seems as though this minimum requirement is part of the original RFC for cookies – see section 6.3 specifically.
I’ve been testing exclusively in IE6 (specifically, version 6.0.2900.2180.xpsp_sp2_dgr.050301-1519). I have found that the 20 cookies per domain limit is not just a minimum, but also the maximum, for IE6. If you set a 21st cookie for a given domain, then the 1st cookie is forgotten – so only the most recently-created 20 cookies are kept.
(As an aside, it’s possible to confuse what is meant by cookies with IE. IE6 keeps a separate text file, in C:\Documents and Settings\[username]\Cookies\ , for each user@domain. All cookies for a user in a given domain are stored in the text file. There isn’t a text file per cookie.)
The real problem, however, comes when you try and set cookies with a large size. The standards state that a browser must support a minimum of 4096 bytes per cookie. IE6 doesn’t do this. Instead, it seems to have a maximum size of 4096 bytes for all cookies from a domain. And, even worse, once this maximum is exceeded, you can’t read or write any further cookies for that domain. The only solution I’ve been able to find is for the user to “Delete cookies…” from Tools > Internet Options > General, and start again.
I’ve not been able to find any information about this problem elsewhere, which surprised me. I’ve also not been able to find a workaround. Perhaps everyone else stays within more sensible limits for their cookies I guess that for a public web site, these limits (20 cookies per domain, 4096 bytes per cookie – allegedly) are pretty sensible. However, for an Intranet (like the one I’m working on), they become a problem. 20 cookies is a very small limit if your entire Intranet is served from one domain, and for large intranets, different development teams don’t always tell each other how many cookies they are using. (Which makes squishing values into a single cookie a good idea, rather than spreading them over a cookie each). And that 4k limit – whilst perhaps never reached in most cases, due to the 20 cookie limit – could quickly become a problem too.