Browser Cookies Limitations: Simple Facts You Should Know

Ever wondered why a website can’t remember all your settings? The short answer is that browsers put strict limits on cookies. Understanding those limits helps you avoid broken logins, lost preferences, and surprise privacy issues.

Cookies are tiny pieces of text that a site stores on your computer. They let the site keep track of who you are, what’s in your cart, or which language you chose. But browsers only allow a certain amount of data per cookie, per domain, and overall. If you cross those lines, the extra data simply gets dropped.

Size and Quantity Limits

Most modern browsers cap a single cookie at about 4 KB (4096 bytes). That sounds like a lot, but a complex shopping cart or a detailed user profile can quickly exceed it. When a cookie hits the size ceiling, the browser truncates the value, which can break the feature that relied on it.

Besides size, there’s a limit on how many cookies a single domain can set. The common rule is 20‑50 cookies per domain. If a site tries to add more, the oldest cookies get discarded. This is why you sometimes see “Your session has expired” after a while, even if you haven’t closed the browser.

On top of per‑domain limits, browsers also enforce a total cookie count across all sites, usually a few thousand. Hitting that overall cap is rare for most users, but it can happen on shared computers or when many sites use third‑party tracking cookies.

Expiration, Security, and Alternatives

Cookies aren’t meant to live forever. Each cookie can have an expiration date, ranging from a few minutes to several years. If you set a far‑future date, browsers may still delete it after a certain period for security reasons. Short‑lived cookies are safer because they reduce the window for attackers to steal data.

Security settings also affect how cookies behave. The Secure flag forces the cookie to be sent only over HTTPS, and the HttpOnly flag stops JavaScript from accessing it. These flags don’t change size limits, but they protect the data you do store.

If you need to keep more information than cookies allow, look at Web Storage APIs: localStorage and sessionStorage. Both give you about 5‑10 MB per origin, which is hundreds of times bigger than a cookie. The trade‑off is that storage data isn’t sent to the server on each request, so you’ll need to handle it with AJAX or form submissions.

In practice, keep cookies tiny—just an ID or token that points to data on your server. Store the heavy stuff elsewhere, and always set clear expiration dates. That way you stay within browser limits, protect user privacy, and avoid confusing bugs.

Remember, the limits exist to keep the web fast and safe. Knowing them lets you design better experiences without surprising your visitors with lost settings or sudden logouts.