Is there a limit to cookies? Understanding browser storage restrictions

November 7, 2025 •

4 min read

According to the RFC 6265 specification, browsers are required to support a minimum of 4096 bytes per cookie and 20 cookies per unique domain. This means that contrary to popular belief, there is indeed a limit to cookies, a fact with significant implications for web developers and marketers alike. Understanding these browser-enforced constraints is crucial for ensuring website functionality and performance.

Quick Summary

Browsers impose strict limits on the number and size of cookies per domain, typically around 4KB per cookie and 50–180 cookies per domain depending on the browser. Exceeding these limits can cause data truncation, performance issues, or a website failing to store user preferences correctly.

Key Points

Cookie Size Limits: Most browsers cap a single cookie at approximately 4KB (4096 bytes), including its name and value, based on RFC standards.
Cookies Per Domain: Browsers also limit the number of cookies a single website can store, ranging from about 50 to 180, depending on the browser.
Exceeding Limits: If a website exceeds these limits, browsers may reject new cookies or delete the oldest ones, leading to unpredictable application behavior.
Performance Overhead: Large or numerous cookies can increase the size of HTTP requests, potentially slowing down website performance, especially on mobile devices.
Modern Alternatives: For larger storage needs, developers should use alternatives like the Web Storage API (localStorage, sessionStorage) or IndexedDB, which offer higher capacity.
Third-Party Cookie Phase-Out: The digital landscape is shifting as browsers phase out third-party cookies due to privacy concerns, pushing the industry toward cookieless tracking and first-party data strategies.

Browser-Enforced Cookie Limitations

Web cookies are small data packets stored by a browser on a user's device, used to remember stateful information such as login details, user preferences, and tracking data. While invaluable for web functionality, cookies are not infinite resources. All modern web browsers enforce specific limitations to prevent a single website from consuming excessive client-side storage, which could negatively impact performance and security. These limits are generally applied on a per-domain basis and cover both the size of an individual cookie and the total number of cookies allowed.

Per-Cookie Size and Per-Domain Quantity Limits

The most commonly encountered limit is the maximum size of a single cookie, which is generally capped at around 4096 bytes (4KB) across major browsers. This size includes the cookie's name, value, and other metadata. If a developer attempts to set a cookie larger than this limit, the browser will likely reject it entirely, and the data will not be stored.

Equally important are the per-domain quantity restrictions. Each browser sets its own maximum number of cookies a single domain can store. For example, some browsers allow as few as 50 cookies per domain, while others might permit up to 180 or more. Exceeding this count often results in the oldest or least recently used cookies being automatically purged to make room for new ones, leading to unpredictable user experiences.

Cross-Browser Variations in Cookie Limits

The exact cookie limitations can vary between different web browsers, though most align closely with the IETF RFC 6265 standard's recommendation of 4096 bytes per cookie. While this standard provides a baseline, browser vendors can implement stricter or slightly different rules. For instance, Safari's Intelligent Tracking Prevention (ITP) might shorten the lifespan of certain tracking cookies, overriding the website's set expiration date. This makes cross-browser compatibility an important consideration for developers.

Table: Comparison of Browser Cookie Limits


Browser	Cookie Size Limit (approx.)	Cookie Count per Domain (approx.)
Google Chrome	4096 bytes	180 cookies
Mozilla Firefox	4097 bytes	150 cookies
Apple Safari	4096 bytes	50 cookies
Microsoft Edge	4096 bytes	50 cookies

Performance and Security Implications of Cookie Management

Beyond the raw storage capacity, there are significant performance and security considerations related to how cookies are handled. Every HTTP request sent from the browser to the server includes the cookies associated with that domain. If a website sets numerous or very large cookies, this can increase the size of the request headers, adding unnecessary overhead and potentially slowing down page load times. For users on slower connections, this performance degradation can be particularly noticeable.

Security is another major factor. Because cookies are sent with every request, they can be vulnerable to various attacks, including Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF), if not implemented securely. Developers must be mindful of using appropriate security flags like HttpOnly and Secure to mitigate these risks.

Alternatives to Excessive Cookie Usage

For websites requiring larger client-side storage, developers should consider modern alternatives to cookies that were designed with greater capacity in mind.

Web Storage API (localStorage and sessionStorage): These provide key/value pair storage with significantly larger limits (typically 5–10MB per domain) and don't send data with every HTTP request, improving performance. localStorage persists even after the browser is closed, while sessionStorage lasts only for the duration of the page session.
IndexedDB: A low-level API for client-side storage of large amounts of structured data, including files and blobs. It offers a much higher storage capacity than cookies and is suitable for more complex data needs.
Server-Side Storage: Storing user data on the server and using a small, secure cookie with a session token to identify the user is often the most secure and performant option for storing extensive user information.

The Impact of Phasing Out Third-Party Cookies

Finally, the conversation about cookie limits is incomplete without mentioning the ongoing decline of third-party cookies. Major browsers like Chrome, Safari, and Firefox are either blocking or phasing out support for these cookies, primarily due to privacy concerns. This monumental shift is forcing the advertising and web analytics industries to pivot towards cookieless tracking and relying more on first-party data and other technologies. While this is a separate issue from the technical storage limits of first-party cookies, it's part of the broader evolution of web storage and data management.

Conclusion

In summary, there is a definitive limit to cookies, enforced by web browser specifications and practical considerations for performance and security. Developers must navigate these constraints, balancing the convenience of cookies with the storage limits of around 4KB per cookie and varying numbers per domain. For larger storage needs, modern APIs like localStorage and IndexedDB offer more robust solutions. By understanding and respecting these limitations, developers can build more efficient, secure, and reliable web applications that work consistently across different browsers and meet evolving privacy standards.

Frequently Asked Questions

Cookies have a size limit to prevent websites from storing excessive data on a user's device. Limiting the size keeps HTTP requests small, which is crucial for website performance and overall user experience, especially on mobile networks.

If a cookie exceeds the browser's size limit (usually 4096 bytes), the browser will typically reject or ignore the cookie entirely. This means the data will not be stored, which can cause web application features relying on that data to fail.

The number of cookies a website can set varies by browser. While the Internet Engineering Task Force (IETF) specified a minimum of 20 cookies per domain, modern browsers like Chrome and Firefox support significantly more (180 and 150, respectively). Other browsers like Safari and Edge are more restrictive, often limiting to around 50.

Yes, the cookie quantity and size limits are applied on a per-domain basis. This means a website like example.com has a set budget of storage and number of cookies it can use, not just for the top-level domain but sometimes considering subdomains as well.

No, localStorage and sessionStorage are part of the modern Web Storage API and have much higher storage limits, typically 5-10MB per domain. Unlike cookies, data in Web Storage is not automatically sent with every HTTP request, improving performance.

Third-party cookies are being phased out by major browsers like Chrome and Safari primarily due to privacy concerns. They are often used for cross-site tracking, which allows advertisers to build extensive profiles of user behavior across different websites without explicit consent. Replacing them are new privacy-centric APIs and first-party data strategies.

While it's technically possible to split large data into multiple smaller cookies, this is not a recommended practice. The combined size of all cookies is sent with every request, still causing performance issues. Furthermore, you would be limited by the per-domain cookie count. It's better to use modern alternatives like Web Storage or server-side storage for larger datasets.