Total cookie size greater than 8190 bytes causes Apache to fail.

8100 bytes 8200 bytes other: (hit return)

We all know that we can make our web sites faster if we reduce cookie size and serve static content from a cookieless domain. But large cookies can also bring down your site.

Apache's LimitRequestLine directive sets the maximum number of bytes that are allowed on the HTTP request-line. The default value is 8190. The concern isn't that the size of a single cookie would exceed this limit - it's unlikely anyone would create a single cookie this large. The 8190 byte limit becomes easy to break when we realize that it's the sum of all cookies that's the concern. All the cookies for a web page are delivered in one Cookie: request header. Therefore, if all of the cookies for a given page add up to more than 8190 bytes, Apache will fail. (I haven't investigated other web servers.)

Here's a test you can perform to confirm this behavior:

  1. click on the 8100 link above
  2. after you receive your 8100 bytes of cookies, reload the page
  3. everything works - yay!
  4. click on the 8200 link above
  5. after you receive your 8200 bytes of cookies, reload the page
  6. you get an error page complaining that "Size of a request header field exceeds server limit"
  7. restart your browser to clear the cookies

Remember, keep your cookies small. Read the excellent article from Eric Lawrence on Internet Explorer Cookie Internals for some FAQs about how cookies work in IE.