What is the maximum size of a cookie, and how many can be stored in a browser for each web site?

Question

I am learning about cookies, and I wonder about browser support when writing web applications that rely on cookies to store state.

• For each domain/web site,

Answer 1

No more than 50 cookies per domain, with a maximum of 4 KB per cookie (or even 4 KB in total, see Iain's answer). On IE 6 it used to be 20 cookies per domain.

Generally it's recommended to preserve state on the server, and use cookies only for session tracking. They're sent along with every request, so they form an unnecessary overhead if the purpose is to keep session state around.

If you do want to keep state on the client, and you can use JavaScript to do it, there are options. Use the assorted storage API's directly or find a wrapper library that abstracts away the details.

Client-side storage options:

• localStorage: Firefox 2+, Chrome 4+, Safari 4+, Internet Explorer 8+. 5 MB per domain without user confirmation (but be aware that it is stored as UTF-16 so you may use two bytes per character).
• IndexedDB: Firefox 4+, Chrome 11+, Safari 10+, Internet Explorer 10+. 5 MB per domain without user confirmation, much more after confirmation (highly browser specific, check your browser for details).

Deprecated storage options:

• Flash 8 persistent storage: any browser with Flash 8+. 100 KB, more with user permission. Deprecated because Flash itself is deprecated.
• userData: Internet Explorer 5.5+. 64 KB per domain in the restricted zone, 128 KB per domain in the internet zone. Replaced by localStorage.
• Web SQL: Chrome & Safari only, it will never make it to other browsers because it was not possible to standardize it.

So, generally for client-side storage it depends on the use case:

• For session id tracking or for a few KB, use cookies.
• Up to 2 MB, localstorage delivers a solution across all common browsers.
• 2 MB and up, use IndexedDB (look for a good wrapper library).

Answer 2

If you're programming a web site, it's a good idea not to store too much in a cookie, because that cookie gets send to the server every time the user requests a page from your site. A far better solution is to just store a unique id in the cookie, and let the server pull up the required information from a database or file store based on that unique id. Unfortunately that solution leads to people worrying about what you're tracking about them, so you might want to have a "cookie policy" expressed somewhere on your site talking about why you're placing a cookie on their browser and what you do and don't track about them.

Answer 3

CDN Comes to Rescue.

You can offload your static content to a CDN or a file storage service like Amazon S3, keeping the static file requests cookie-free should be easy as long as you haven’t set up a CNAME record on a subdomain that receives cookies from your top-level domain.

This Blog Post is a good read for on Serving Static Content from a Cookieless Domain and how can we adopt this best practice to boost our performance in the client side.