First look on Cookies

cookie_monster

I wrote a simple script to set some cookies, and found some cute numbers on the maximum cookies to be set per domain name per path. The cookies are in the form of <key>=<val>, e.g. 1=1, 2=1, 3=1, 4=1. The length of the cookie name matters, as I found out.

Internet Explorer 7 – 20 cookies, maximum of 244 Set-Cookies per page.

Firefox 3 – 50 cookies.

Safari 3 – 1161 cookies, no limit of Set-cookies per page. See analysis below.

Opera 9 – 30 cookies.

Chrome 0.4 – 59~70 cookies, I have no idea why it is varying.

Tencent Traveller 2 – 20 cookies, follows the behaviour of Internet Explorer 7.

Except Safari 3, all browsers have a limit on the number of cookies to be set. I guess Safari is using a link list for that. For most browsers, although the HTTP Response code is 200, they will report the page as cannot be displayed. However, for Safari, since it has no limit, when the cookie headers are too long ( > 7619 ), Apache replies with a 400 Bad Request.

Haven’t think of any interesting tests yet, but feel free to discuss if there is anything we can do about them. By the way, I remember hotmail sets a whole lot of cookies, like BrowserSense and BS are just duplicates obviously (legacy code, yeehh!), I wonder are they hitting the limits soon? =)

The Tencent Traveller 2, as I will bet none of you outside of China will know about, is actually a browser in China that is built on top of IE7. Consider a GUI on top of IE7, and it even uses cookies of IE7, too. I have no idea of its adoption in China. Only after testing I realized I am using a very old version of it. I’ll see if there’s anything interesting in its newest version, 4.4.

So much for debugging last time. Let’s get back to the web. =P

Tencent Traveller – http://www.skycn.com/soft/14500.html

RFC2109 – http://www.faqs.org/rfcs/rfc2109.html

RFC2965 – http://www.faqs.org/rfcs/rfc2965.html

About these ads

4 Responses to “First look on Cookies”


  1. 1 kuza55 December 8, 2008 at 10:03 am

    Not sure if you saw this, but it turns out that Firefox (2 at least, I’ve been too lazy to go about testing 3) and Opera 9.whatever (but not IE) have global cookie limits, such that you can delete cookies from other domains by setting a bunch of cookies on your subdomains: http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html (see heading “Exhausting Cookie Limits”) and here is a possible application: http://kuza55.blogspot.com/2008/02/racing-to-downgrade-users-to-cookie.html

    Just to get you thinking; hopefully you can find something more interesting there :)

  2. 2 log0 December 8, 2008 at 12:12 pm

    Wow… that is far more comprehensive than my findings. Very very interesting. I am sure I will look into them later. BTW, it seems our numbers on the maximum number of cookies are not agreeing on IE7. Are you doing that on IE8 beta ( Not IE6?! ).

    Hey, BTW, I saw your name on the XFocus speakers section. I couldn’t go there as I was occupied. I am sure I felt a little bit depressed to find you there – cause I am missing it yet I’m so close =( The topic is certainly very interesting as I am going to dive into it ( Same Origin Policy ). Will you share your thoughts on that? I am sure it will be very inspiring it!

  3. 3 kuza55 December 9, 2008 at 2:43 am

    It could be because I was setting cookies with javaScript, rather than Set-Cookie headers.

    I just ran a test using some dodgy javascript:
    javascript:for (i=0;i<100;i++) {document.cookie = i+”=123″;} alert(document.cookie);
    And it still seems to be 50 (cookies 50-99 remain)

    Sure, hit me up some time, me and some other smart people are usually on irc.irchighway.net #slackers, or just email me or whatever :) I’ll post my slides from xcon soon as well…

  4. 4 log0 December 9, 2008 at 8:01 am

    >>Kuza55

    Thanks for the articles, really great stuffs. I will come and hook you guys up sometime. =)

    I’m looking forward to the posts, you can write really well, and I guess I have to digest a lot of articles again. hah.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s





Follow

Get every new post delivered to your Inbox.

%d bloggers like this: