I know there are restrictions on the number of cookies that you can add to a browser, I can't remember the numbers from my tests a while ago, but I think it started to run into trouble at around 150.
I have an issue where I am trying to delete 57 cookies but the browser goes into a loop, and then resets the connection, this is over HTTP. If I switch it to HTTPS, using HTTP/2 it works with no problems, but I don't want to have to rely on the HTTP/2.
If I lower it a little bit I can get around 50 to work, but if I add other cookies or increase the loop to 57 I have the problem
Is this a restriction in the browser or is there anything I can do in the CF admin to increase capabilities?
This is how I'm doing it. Maybe there is a better way to just tell it to destroy ALL cookies. Although I also worry now about other parts of the site where I create cookies.
** After posting this I went back to my local Win 10 development setup and tested it again, I found that I could delete well over a 100. I am guessing this has something to do with me moving from Win 2008 to Win 2016 for production. There must be a setting in the newer IIS that is tripping it. I imported all my settings for CF from the 2008 box so they should be the same
*** Went back and tested on Win 2008, works fine. Same CF settings. This must be an IIS issue on Win 2016
<CFSET gameauth = ARRAYNEW(1)>
<CFSET gameauth = "AAA">
<CFSET gameauth = "BBB">
<CFSET gameauth = "CCC">
<CFSET gameauth = "DDD">
<CFSET gameauth = "EEE">
<CFSET gameauth = "FFF">
<CFSET gameauth = "GGG">
etc.etc up to gameauth
<CFCOOKIE name="gametoken" value="" expires="now" domain="#cookiedomain#">
<CFLOOP INDEX="gamecounter" FROM="1" TO="57"><CFCOOKIE name="#gameauth[gamecounter]#" value="" expires="now" domain="#cookiedomain#"></CFLOOP>
There are a few settings that could limit the number of cookies you can set... First in Tomcat, there is a setting called maxCookieCount which defaults to 200, see tomcat docs: Apache Tomcat 9 Configuration Reference (9.0.11) - The HTTP Connector
There are also some other settings in there that pertain to HTTP response headers (which is how cookies are set) such as the maxHttpHeaderSize setting.
Are you sure it is not a problem in the browser you are using? It looks like IE only supports up to 50 cookies for example: https://support.microsoft.com/en-us/help/941495/internet-explorer-increases-the-per-domain-cookie-li...
No it's definitely not the browser (I was testing in Firefox). I'm sure I checked MSIE and found I could also get 150 or so cookies on there.
I've ran the same script using CF 2016 on Win 10, Win 2008 and newly created Win 2016.
I do have a URL Rewrite and SSL certs on the Win 2016, so I've sent a rewrite to force it into HTTPS mode. As it's a Win 2016 server it has HTTP/2 over the SSL, so it delivers all those cookies in one go rather than individually. The script works fine, I can write or delete a 100 in HTTPS with no problem. It's when I drop to HTTP, and it's using HTTP1.1 that the problem occurs
As it works fine on the previous Win 2008 server (and Win 10), and I'm using the same CF settings (I literally exported from the 2008 into 2016), I have to presume that this is something to do with the newer IIS 10
Although I technically have the site working on the HTTP2 set up, I'd like to try and get to the bottom of it and see if it's a simple enough tweak so I know that it'll always work on HTTP, not that anybody could get it into HTTP now with the URL rewrite, so maybe I'm just wasting time, but I feel a need to get to the bottom of this one
Well IMHO forcing HTTPS is a win for you. It is quite common these days for sites to run over https and only https, and actually chrome has started marking sites that are not using https as "Not Secure" in the address bar. Check this site out for details on why it is a good thing: https://doesmysiteneedhttps.com/
It's a win for sure, as long as it's on HTTP/2 which it is now (Win 2016 IIS10), when I did it on Win 2008 it was horribly slow, causing CSS not to load quick enough and messing up pages. Thanks to HTTP/2 it's actually quicker to load over SSL than it is over the regular HTTP.
So technically the problem is resolved, but it is niggling me that it won't work on Win 2016. I was just told that Win 10 is also IIS10 so that threw a curve ball because I was pointing at IIS10 being the issue, but perhaps it has different settings on the server version.
You're right those warnings are everywhere, if you look on iOS and select a form that asks for email or password you'll get a big ugle red message warning the user, so it's pretty much a must these days
Have you considered using localStorage?
I've found that if I take all the information that is needed and place it in JSON format, I can access one single localStorage variable, parse what I need, and get going. And to be sure, deleting a node of JSON would be much faster than deleting individual cookies.
Just my two cents.
^ _ ^
I can not use JSON as it's a little complex, the cookies are read by some other JS built into some games, as they are used for authentication to play the game. If I start to change the format of how it's all stored it will upon up a can of endless re-coding and fixes.
In an ideal world I'd find out why it works on the 2008 and Win10, but not 2016.
Although it's working fine now on HTTP/2, I do see what might be an issue, the games are set to cache and I see on a reload I get a lot of 0ms load times on the cached images, but I also not it drops to HTTP/1.1, maybe that's the most efficient way to do it when there is all this caching going on, I don't have any server side control over this in IIS, and the first load is indeed HTTP/2.
With that being said, my concern is, what if it decides to drop to HTTP/1.1 somewhere else where the cookie handling is critical. I've tested it and it seems fine, but I'd sleep better knowing that the site performs (as it did before) perfectly well in HTTP/1.1 if the need arises
As for HTTP not allowing multiple cookies in a single request, is there a single site out there that only writes one cookie on a request?
I think the other post was about the RFP for HTTP 1.x not allowing multiple Cookie request headers. But as we all know, a single Cookie request header can contain multiple cookies expressed as name-value pairs.
Dave Watts, Fig Leaf Software