BT

Internet Explorer increases cookie limit to 50

by Gavin Terrill on Sep 03, 2007 |
Microsoft has released an update to Internet Explorer that increases the number of cookies allowed per domain from 20 to 50, equivalent to FireFox. Eric Lawrence, Program Manager at Microsoft and the man behind the Fiddler HTTP debugging proxy, wrote about the release:
In the past, IE’s cookie jar stored a maximum of 20 cookies per domain. If more than 20 cookies were sent by the server, older cookies were automatically dropped by the browser. The dropped cookies could lead to lost website settings, an empty web shopping basket, or similar problems.
The 20 cookie limit dates back to the original Netscape preliminary specification: Client Side State - HTTP Cookies. While an increase to 50 cookies for Internet Explorer may sound like an improvement, there are significant performance implications when you take into account the increased request size and slower upload speeds:
Unfortunately, cookies can dramatically impact the size of HTTP requests, slowing down the user’s browsing experience significantly.  Many of today’s web users have connections with asymmetrical bandwidth, having download speeds 2 to 5 times faster than their upload speeds.  This means that in some cases, HTTP request size is a more important factor than the size of the server’s response in determining overall transfer time.
Eric offers three strategies to deal with these implications:
  1. minimize the size of your cookies - for example by using shorter variable names.
  2. deliver static content from a different domain - so that the cookies are not sent in the request.
  3. minimize the size of your cookies - where you limit cookies based on path:
    The last strategy is similar to the second, except that you can undertake it with just one domain.  If you can keep all of your pages that need access to cookies within a single path (e.g. http://example.com/webapp/) you can use the Path attribute on the cookie to specify that the cookie should only be sent for requests within that path. This will ensure that requests sent outside of that path (e.g. http://example.com/images/) are not forced to carry unneeded cookies.
Eric also suggests restricting cookie access from client side scripts to help mitigate Cross Site Scripting attacks:
If your cookies are only used by your server, and your scripts don’t require access to your cookies, use the HttpOnly attribute to help protect your site against cookie theft via cross-site scripting attacks
The HttpOnly attribute was introduced in Internet Explorer 6 SP1. It will also be supported in Firefox 3, and is available as a FireFox Add-On now.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT