cookie bomb - how to protect?

mex nginx-forum at
Sun Jan 19 16:06:58 UTC 2014

very interesting read:

from thze blogpost:
"TL;DR I can craft a page "polluting" CDNs, blogging platforms and other
major networks with my cookies. Your browser will keep sending those cookies
and servers will reject the requests, because Cookie header will be very
long. The entire Internet will look down to you. 
I have no idea if it's a known trick, but I believe it should be fixed.
Severity: depends. I checked only with Chrome.

We all know a cookie can only contain 4k of data.
How many cookies can I creates? **Many!**
What cookies is browser going to send with every request? **All of them!**
How do servers usually react if the request is too long? **They don't

i checked it, and it works, i get the following error back:

400 Bad Request

Request Header Or Cookie Too Large

my question: is there a generic way to check the size of such headers like
cookies etc
and to cut them off, or should we live with such malicious intent? 



Posted at Nginx Forum:,246597,246597#msg-246597

More information about the nginx mailing list