Here is a list of things I learned working on a project a while back, I wrote them down because they’re so screwy I know I’d force myself to forget them:
- Cookie size causes both the browser and the server to barf. Total size, not just individual cookie.
- Deleting a cookie is tricky, sometimes IE won’t delete session cookie without a restart.
- When deleting, use ‘0’ as expiration, the full “Thu, 01 Jan 1970 00:00:00 GMT” fails in IE, it sets it to 2070 for some reason.
- If you have two cookies, one with a subdomain, one without, the one without will “win”.
- it can be hard to mess with a higher scoped cookie from a subdomain. Avoid it if you can
- And here’s the kicker: Sometimes the buffer space on your load balancer can be too small for the total size of cookies that your browser is sending, even if Apache can handle larger cookies. In that situation you’ll get an ugly 500 error page. This buffer space may only become an issue if there are rules on the LB that require it to inspect the headers.
Just the other day I saw this article on a related note: Let’s Break The Internet