Internet Explorer's Cookie Jar runneth over

[<rms () computerbytesman com>]

Hmm, I wonder why this increase in size of the IE cookie jar was silently
sent out to most Windows users as a security update?

 

Richard M. Smith

Boston Software Forensics

 

http://blogs.msdn.com/ie/archive/2007/08/29/update-to-internet-explorer-s-co
okie-jar.aspx


Update to Internet Explorer's Cookie Jar


As a part of the August
<http://blogs.msdn.com/ie/archive/2007/08/14/ie-august-security-update-is-no
w-available.aspx>  Cumulative Update for Internet Explorer, a small
enhancement was made to Internet Explorer's HTTP Cookie handling. This post
describes that enhancement, and presents some other considerations for using
cookies on your site. A knowledge base article referencing this change can
be found here <http://support.microsoft.com/kb/941495> . 


Background


In the past, IE's cookie jar stored a maximum of 20 cookies per domain. If
more than 20 cookies were sent by the server, older cookies were
automatically dropped by the browser. The dropped cookies could lead to lost
website settings, an empty web shopping basket, or similar problems. In
order to store more than 20 name-value pairs per domain, web developers were
forced to create a "dictionary cookie", a single cookie that contains
multiple name-value pairs. Creation of dictionary cookies is described in
this Knowledge Base <http://support.microsoft.com/kb/306070/en-us>  article.


Note that IE's cookie limit is applied on per-domain basis. If
http://example.com sets 20 cookies, each with Domain=example.com, and
http://subdomain.example.com also sets 20 cookies, each with
Domain=subdomain.example.com, then 40 cookies will be sent on subsequent
requests to subdomain.example.com. 


New Cookie Limit


As a part of the Internet Explorer update announced yesterday, the cookies
per domain limit has been increased from 20 to 50. This change was made to
simplify the development and hosting of web applications on domains that use
a large number of cookies.  

Please note that even after installing this update, two other cookie limits
remain unchanged: 

*       The DOM's document.cookie property will return an empty string
<http://support.microsoft.com/kb/820536/en-us>  if the current cookie string
is longer than 4096 bytes 
*       Internet Explorer (and the WinINET HTTP stack) will ignore any
Set-Cookie header if the header value's length exceeds 5118 bytes

For functionality and performance reasons (discussed next), it's recommended
that you continue to use the smallest cookies possible. 

.

 

 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.