To RFC or not to RFC

One of the ideas I had to expand the StateHandler (more info on the StateHandler in this post) was to do "cookie-spanning."  In the current implementation, the serialized/encrypted state has to be under 4,096 bytes as the data was stored in a single cookie.

RFC2109 specifies that browsers/clients should allow at least 20 unique cookies per domain, with each cookie capable of storing at least 4,096 bytes.  I thought, "Hey, it would be cool to be able to split my data across more than one cookie if it were needed."  I'm not exactly sure this would be needed -- I put a lot of stuff in the module and I don't break the 4,096 byte barrier.  Nevertheless, it's more of a "cool factor."  If 4K isn't enough, surely 8K or 12K would do it, right?  With 20 unique cookies per domain, that's a lot of wiggle room for other data, too.

I've run into a few quirks.  I began testing by dumping a ton of data into the session module's indexer to make the size of the serialized/encrypted data explode.  The first oddity was with IE.  IE will actually allow just shy of 5KB per cookie -- and that's ok, since the RFC does say, "at least 4,096 bytes."  I verified this with the IE team and it's because of the cookie buffer implementation in wininet.  This isn't at all a bug, but because Firefox adheres to the 4,096 byte minimum (to the byte, including the cookie name), it's easy to get burned.

The second quirk came when I ramped up the stress level by dumping a lot of data into the state module.  As soon as I passed the 16KB mark, IIS started returning 400 "Bad Request" responses.  I came across this INF: Http.sys Registry Settings.  As it turns out, the default limit for IIS (as defined in the MaxRequestBytes and MaxFieldLength settings) is 16KB.  That's a problem: it doesn't take a mathematician to see that 20 cookies * 4,096KB = 81,920, much greater than 16,384.  While ramping these up a bit did clear the error, changing these aren't always possible in a shared hosting environment, and the "Warning: Extremely Dangerous" notice on those settings is enough to scare people away.

Of course, in practice, very few domains use all 20 cookies, and arguably, almost none will try to pack 4,096 bytes into each cookie.  Still, it's a limitation, and it's a design I don't agree with.  And, it's crippling.  Since IIS can generate the cookies on one request, and then deny it on another, you can essentially deny a user access to the server.  If they're persisted cookies, you need to pray the user can go in and clear their cookie cache manually if you want them to visit your site, otherwise IIS will keep denying the request and the average user will have no idea why.

The last quirk is with Firefox, and this one I don't have an answer for.  Regardless of the number of cookies, Firefox seems to collapse around 11KB of data in a request header.  The request goes to IIS just fine, but it's as if Firefox closes the connection right away and no data is ever sent from IIS.  I'll need to use Fiddler and see what's going on -- I'm wondering if it's something like a 100-continue header problem or something similar.

** Update ** Yep, the problem regarding Firefox was on my end.  I didn't constrain the loop
quite right so in the stress page that I created, one of the cookies took way too many bytes.  This resulted in Firefox just dropping the request.  IE's behavior was a bit different.  In IE's case, the cookie was just dropped if it went beyond its near 5K ceiling, but the page otherwise loaded and rendered fine.  (I'm appreciative that I found this bug thanks to Firefox, but it should've just rejected the cookie silently, IMO, and continue to render/accept the page).  So, with the IE and Firefox issue resolved, the only limitation is with IIS. **/Update**

So in theory, cookie spanning is a cool idea.  And while it will work to expand the session data a few extra bytes if needed, it's also clear that this is a "proceed with caution" area.
Comments are closed

My Apps

Dark Skies Astrophotography Journal Vol 1 Explore The Moon
Mars Explorer Moons of Jupiter Messier Object Explorer
Brew Finder Earthquake Explorer Venus Explorer  

My Worldmap

Month List