Microsoft has released an update to Internet Explorer that increases the number of cookies allowed per domain from 20 to 50, equivalent to FireFox. Eric Lawrence, Program Manager at Microsoft and the man behind the Fiddler HTTP debugging proxy
, wrote about the release
In the past, IE’s cookie jar stored a maximum of 20 cookies per domain. If more than 20 cookies were sent by the server, older cookies were automatically dropped by the browser. The dropped cookies could lead to lost website settings, an empty web shopping basket, or similar problems.
The 20 cookie limit dates back to the original Netscape preliminary specification: Client Side State - HTTP Cookies
. While an increase to 50 cookies for Internet Explorer may sound like an improvement, there are significant performance implications when you take into account the increased request size and slower upload speeds:
Unfortunately, cookies can dramatically impact the size of HTTP requests, slowing down the user’s browsing experience significantly. Many of today’s web users have connections with asymmetrical bandwidth, having download speeds 2 to 5 times faster than their upload speeds. This means that in some cases, HTTP request size is a more important factor than the size of the server’s response in determining overall transfer time.
Eric offers three strategies to deal with these implications:
- minimize the size of your cookies - for example by using shorter variable names.
- deliver static content from a different domain - so that the cookies are not sent in the request.
- minimize the size of your cookies - where you limit cookies based on path:
The last strategy is similar to the second, except that you can undertake it with just one domain. If you can keep all of your pages that need access to cookies within a single path (e.g. http://example.com/webapp/) you can use the Path attribute on the cookie to specify that the cookie should only be sent for requests within that path. This will ensure that requests sent outside of that path (e.g. http://example.com/images/) are not forced to carry unneeded cookies.
Eric also suggests restricting cookie access from client side scripts to help mitigate Cross Site Scripting attacks:
If your cookies are only used by your server, and your scripts don’t require access to your cookies, use the HttpOnly attribute to help protect your site against cookie theft via cross-site scripting attacks
The HttpOnly attribute was introduced in Internet Explorer 6 SP1. It will also be supported in Firefox 3
, and is available as a FireFox Add-On