cURL / Mailing Lists / curl-library / Single Mail


[ curl-Bugs-977783 ] Max cookie size needs to be at least 4096 bytes

From: <>
Date: Tue, 22 Jun 2004 13:53:31 -0700

Bugs item #977783, was opened at 2004-06-22 13:53
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:

Category: http
Group: wrong behaviour
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Daniel Stenberg (bagder)
Summary: Max cookie size needs to be at least 4096 bytes

Initial Comment:
The following bug appears in curl-7.12.0 as well as in
previous versions. I am running it under Red Hat 9, but
expect the problem to be in all versions.

RFC 2109 states that there needs to be "at least 4096
bytes per cookie (as measured by the size of the
characters that comprise the cookie non-terminal in the
syntax description of the Set-Cookie header)".

But cURL is only handling cookies up to 2048 bytes
(this appears to be defined in lib/cookie.h.

This is not merely a theoretical concern--I spent
several days going back and forth with an off-site
developer who could not understand why his code worked
for him but not when I was testing it.

While the problem appears easily solveable by changing
two constants in lib/cookie.h, this issue will bite
people who are expecting cURL to comply with basic web
standards such as the 4K cookie minimum.

Note: while many/most web apps probably use cookies to
hold keys into a database, there are companies that
need to shove as much data as they can into cookies to
avoid the performance hit incurred by database access.
This includes some high-profile dot-coms with people
who know what they are doing :-)

Thanks for your attention to this matter.

David Cohen


You can respond by visiting:
Received on 2004-06-22