Browser Cookie Limits

— Paul Annesley, December 2006

I’ve been working on a website where some users have reported their “Remember Me” session is often being lost by Internet Explorer. The cause appears to be Internet Explorer rejecting cookies beyond a total of 20 for the domain.

Interestingly, Internet Explorer seems to be the only browser to correctly enforce the 20 cookies per domain limit specified by RFC 2965
Here are the limits enforced by the handful of browsers I have tested:

Any new cookies beyond these limits are rejected by the browsers.

EDIT 30 March 2007:
Thanks to Tobias Hinnerup for pointing out that RFC 2965 actually specifies that user agents must support “at least 20 cookies per unique host or domain name”, rather than specifying a limit. This still implies a limit on the number of cookies we can assume a user agent adhering to the RFC will store.
From the RFC:

Because user agents have finite space in which to store cookies, they MAY also discard older cookies to make space for newer ones, using, for example, a least-recently-used algorithm, along with constraints on the maximum number of cookies that each origin server may set.
RFC 2965 HTTP State Management Mechanism

← index