19148 – Limit the number of Cookies per domain

Bug 19148 - Limit the number of Cookies per domain

Summary: Limit the number of Cookies per domain

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	525.x (Safari 3.1)
Hardware:	Mac All

Importance:	P2 Major
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2008-05-20 11:32 PDT by Markus Wulftange
Modified:	2011-04-09 01:09 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Markus Wulftange 2008-05-20 11:32:07 PDT

It seems that at least the Safari 3.1 release has no limit for Cookies per domain.

See <URL:http://www.nczonline.net/blog/2008/5/17/browser_cookie_restrictions>

Comment 1 Brady Eidson 2008-05-20 12:00:29 PDT

<rdar://problem/5949683>

Comment 2 Brady Eidson 2008-05-20 12:02:38 PDT

Some custom apps might want the limitless cookies, whereas some apps might want *very* limited cookies or no cookies at all.

It is unclear to me whether or not this should be fixed as a WebKit bug or if it is really an application policy (in which case it would be fixed in Safari by Apple, and this bug would be invalid).

Thoughts?

Comment 3 Mark Rowe (bdash) 2008-05-20 12:52:06 PDT

Cookies are managed by Foundation and CFNetwork rather than WebKit, so it's likely that limiting cookies is something that will need to be handled at that level.

Comment 4 Brady Eidson 2008-05-20 13:00:05 PDT

I agree completely, but someone would have to call to set the limitation - should that someone be WebKit or Safari?  That was my question.

Comment 5 Robert Blaut 2008-07-30 03:14:29 PDT

RFC2965 "HTTP State Management Mechanism" does not force any limit of cookies per domain, moreover it defines that user agents should not have any limits in this area:

"5.3  Implementation Limits

   Practical user agent implementations have limits on the number and
   size of cookies that they can store.  In general, user agents' cookie
   support should have no fixed limits.  They should strive to store as
   many frequently-used cookies as possible.  Furthermore, general-use
   user agents SHOULD provide each of the following minimum capabilities
   individually, although not necessarily simultaneously:
      *  at least 300 cookies
      *  at least 4096 bytes per cookie (as measured by the characters
         that comprise the cookie non-terminal in the syntax description
         of the Set-Cookie2 header, and as received in the Set-Cookie2
         header)
      *  at least 20 cookies per unique host or domain name"

[http://www.ietf.org/rfc/rfc2965.txt]

In my opinion this report should be marked as WONTFIX.

Comment 6 Mark Pauley 2011-04-08 13:59:18 PDT

This has been fixed for Safari running on SnowLeopard, Windows and on.  We don't limit the number of cookies per domain, but instead limit the total size of the cookie header, because cookies must be a minimum of two characters plus a semi-colon per cookie the number is effectively limited.

Comment 7 Alexey Proskuryakov 2011-04-09 01:09:33 PDT

Resolving per the above comment.