views:

2343

answers:

5

As far as Google searches tell me, the maximum allowed number of cookies depends very much on the browser, however I cannot find any recent data as to how much cookies are allowed on modern browsers.

I need to store a somewhat large number of user preferences in cookies (for not-yet-registered users), so what would be the best way of doing that? (Also, those cookies would be accessed both via javascript client-side and php server-side)

+8  A: 

The best way would be to not store them in a cookie at all.

Store them in a database, and store the DB key in the cookie. If it's just a few preferences then security isn't much of an issue.

Don't forget that cookies will be sent with every request - if you have 2kb of cookie data and load 10 images on a page, that's an extra 22kb of data.

Greg
They are stored in the database as well, however, we're assuming there will be a large enough number of visitors, so I feel sort of queasy about thrashing the database for, say, 20 to 50 values on every page request. Cookies would take at least some part of the load away.
Nouveau
You only need to pull them out of the database for the first hit then put them into the session.
Greg
+1  A: 

IIRC, it's 20 for the majority general, more for some, and 10 for one particular browser (again IIRC, IE5.5?). Up to 10 is considered a safe number.

You don't really need more than one anyway - just use one to store an ID client-side and store everything you need stored server-side against that same ID. Apart from anything else, the less data you leave the the client, the less there is for them to remove/corrupt/hack/etc.

JoeBloggs
+6  A: 

From the rfc:

  • at least 300 cookies

  • at least 4096 bytes per cookie (as measured by the size of the characters that comprise the cookie non-terminal in the syntax description of the Set-Cookie header)

  • at least 20 cookies per unique host or domain name

Those are minimum requirements. The IE6 team didn't get that. Everything else is highly browser-specific. You'd better write a test-platform to test each browser. Test the maximum size and number with little incremental steps (and check if they still are readable).

Also, I seem to remember apache has a problem with huges numbers of cookies. Can't remember where i've seen that though.

Here is a little cookie-testing script: http://krijnhoetmer.nl/stuff/javascript/maximum-cookies/

Berzemus
From that rfc, and the same section quoted above, the last paragraph says: 'Applications should use as few and as small cookies as possible, and they should cope gracefully with the loss of a cookie.' That may be better advice than worrying about banging up against user agent limits.
Grant Wagner
A: 

You can also store settings in the session, which requires only 1 cookie, but can have a large number of variables. Like the database, sessions require a bit more storage on the server, but PHP has a good amount of built in management for them.

acrosman
A: 

But what about security? If you store all the visitor's information in a database, and only use one cookie to place the key, doesn't that open you up to someone else manipulating their own cookies to fake being someone else, and then pick up all the other people's info?

Mark