tags:

views:

309

answers:

4
+3  Q: 

What is the maximum size of a cookie, and how many can be stored in a browser for each web site?

I am learning about cookies, and I wonder about browser support when writing web applications that rely on cookies to store state.

  • For each domain/web site, how many cookies may be sent to a browser, and of what size?

  • If multiple cookies are sent and stored, does that affect performance?

+4  A: 

Firstly, I suggest you don't worry about this issue. There is AMPLE room to serialize tons of identifiers to.

Secondly it's not stored by web-server but by web-domain -- e.g., www.google.com and not the 100's of different physical servers that serve the Google domain.

Thirdly if you do have to worry know that their are two possible cookie headers. The sizes of these cookie headers are determined by the browser software limits.

Design Discussion

What you don't want to use the cookie header for is sending details about a client's session. E.g., don't try to stuff the email a client is typing into a cookie if you are building an email front-end. Instead you would send the client a cookie that represents his identity+session: you store all sessions data against this identity. You can store tens of identifiers (4-16 bytes) per cookie header and no one needs more than say 4 of these. The cookies data (as an integer) tends to be encoded to base64 which increases the byte-count.

Performance

Your browser sends a plethora of headers to a web-server. The cookie is just another 100-1000 bytes (mostly closer to 100). At both extremes it takes only a fraction of time to send these to the web-server -- when placed into context of course. You should keep in mind that the web is built on text based protocols.

Hassan Syed  2010-01-18 15:37:56
The cookie header is not only sent to request the html, but for all resources that is loaded from the same domain. So if a lot of data is stored in cookies, it will affect performance quite a bit. http://www.yuiblog.com/blog/2007/03/01/performance-research-part-3/
gregers  2010-04-19 14:07:04
well yes, I am evidently not suggesting storing the combined works of Shakespeare in the cookie. People have the ability to exercise common sense when reading informal answers on stack overflow.
Hassan Syed  2010-04-19 14:24:31
Also that analysis is completely useless in the general case. I have written high performance custom GUID based cookie generation code in my research and it adds NO extra latency. So you really need to learn how to interpret research based results and learn how to place them in context, instead of shoehorning the results which don't apply into this answer. To quote Saadi "Nothing is so good for an ignorant man as silence; and if he was sensible of this he would not be ignorant."
Hassan Syed  2010-04-19 14:36:32
+2  A: 

Different browswers have different size limites on cookies. Here is the information for IE. Here is a page that lists several browsers.

Cookies are not saved on a server basis but on a domain basis (a server may host many domains or the opposite a server farm may be serving a single domain).

In general, I would avoid saving lots of information in cookies, as the data gets sent to and from the browser on every request. As you suggest in your question, this can have a effect on performance.

Usually one stores small amounts of data in the cookie, mostly used to identify the user/session so more data can be picked up from a database or another resource local to the web server.

Oded  2010-01-18 15:42:20
Many agree about not making the cookies too large (or avoid them whenever possible, like for static content): http://yuiblog.com/blog/2007/03/01/performance-research-part-3/ But still Ruby on Rails stores the whole session in a cookie by default: http://guides.rubyonrails.org/security.html#session-storage
Arjan  2010-01-19 07:51:03
+2  A: 

If you're programming a web site, it's a good idea not to store too much in a cookie, because that cookie gets send to the server every time the user requests a page from your site. A far better solution is to just store a unique id in the cookie, and let the server pull up the required information from a database or file store based on that unique id. Unfortunately that solution leads to people worrying about what you're tracking about them, so you might want to have a "cookie policy" expressed somewhere on your site talking about why you're placing a cookie on their browser and what you do and don't track about them.

Paul Tomblin  2010-01-18 15:43:48
+2  A: 

4 KB per cookie. 20 cookies per domain in Internet Explorer 6. This means the common denominator is 80 KB of data, split across 20 chunks (clumsy at best).

Generally it's recommended to preserve state on the server, and use cookies only for session tracking. They're sent along with every request, and you really don't want dozens of KB of data crossing the wire on every server call.

If you do want to keep state on the client, and you can use JavaScript to do it, there are options. The PersistJS library implements all of them (as a convenient key/value store). Dojo storage is another well known cross-browser local storage library.

A short summary of storage options:

  • localStorage / globalStorage: Firefox 2+, Chrome 4+, Safari 4+, Internet Explorer 8+. 5 MB per domain.
  • userData: Internet Explorer 5.5+. 64 KB per domain in the restricted zone, 128 KB per domain in the internet zone.
  • Flash 8 persistent storage: any browser with Flash 8+. 100 KB, more with user permission.
  • Google gears: any browser with the Gears plug-in. 2 GB, requires explicit user approval.

So, generally it depends on your use case:

  • Less than 10 KB, I would use cookies. Transparent to the user, and universally supported.
  • Between 10 KB and a 100 KB, a combination of userdata, localstorage and Flash might be what you need to deliver a transparent solution across all common browsers. I just replaced cookies with such a solution in the web applications I develop, and it works great.
  • 100 KB and up: Flash or Gears. Either way the user has to explicitly authorize you to store data. Gears is easiest to use, as it provides a SQL API.
Joeri Sebrechts  2010-01-19 20:24:44
RFC 2109 specifies minimum 20 cookies pr domain. Each 4kB. But I've read that IE6 only have 4kB for all 20 of them. So just 4kB in total!
gregers  2010-04-19 13:58:29

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?