Cookies take up space both in the HTTP stream when loading a web page, and on the hard drive of the customer. So most browsers put a limit on the number of cookies any one domain can set. The minimum is set by the RFC, but browser makers can increase that number.
Many people, when they discover the small size limit on cookies decide to instead send their cookie data through in multiple cookies. That way, even if you can only store around 4KB per cookie, you can send 10 cookies through (or more) to increase the amount of data you are storing.
What does the Cookie RFC Allow
RFC 2109 defines how cookies should be implemented, and it defines minimums that browsers should support. According to the RFC, browsers would ideally have no limits on the size and number of cookies a browser can handle, but to meet the specifications, the user agent should support:
- At least 300 cookies total
- At least 20 cookies per unique host or domain name
For practical purposes, browser makers have generally set a limit on the total number of cookies any one domain or unique host can set. As well as the total number of cookies on a machine.
When Designing a Site with Cookies
I was unable to find a limit on the number of total cookies any browser used. When I counted, I amassed well over 300 cookies while still in the “a's” of the alphabetical listing. The same is true when I just counted sites that had dropped cookies on me.
So, developers who run a lot of domains should not be concerned that the cookies that they create are going to be deleted because the maximum number has been reached. It is still a possibility, but your cookie is more likely to be removed from readers clearing out their cookies than from the browser maximum.
But I did find limits on the number of cookies any one domain could have. These were:
- Chrome 9 allowed 180 cookies per domain
- Firefox 3.6.3 allowed 50 cookies per domain
- Internet Explorer 8 allowed 50 cookies per domain
- Opera 11 I could not determine the limit and Opera 10 and 9 allowed 30 cookies per domain
- Safari 5 I could not determine the limit
This means that if you have a lot of Opera 10 customers, you should limit the number of cookies from your domain to 30 or less. If you have a lot of IE and Firefox customers, you can increase that to 50 or less. Chrome and Safari appear to allow a lot more cookies per domain, but until they have a larger market share, it's best stick with 30-50 maximum cookies per domain.
Cookie Size Limit Per Domain
Another limit that browsers started implementing was the amount of space any one domain could use. This means that if your browser sets a limit of 4096 bytes per domain, then even if you can set 50 cookies, the total amount of space those 50 cookies can use is just 4096 bytes (about 4KB).
While I wasn't able to test the space limits on the browsers, according to the Cookie Limits Test site:
- Chrome has no limit on the maximum bytes per domain
- Firefox has no limit on the maximum bytes per domain
- Internet Explorer allows between 4096 and 10234 bytes
- Opera allows 4096 bytes
- Safari allows 4096 bytes
Cookie Size Limits You Should Follow
To be compatible with the most browsers, you should create no more than 30 cookies per domain and all 30 cookies should take up no more than 4KB of space (4096 bytes).