HTTP Header Length

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

HTTP Header Length

Post by flying_circus »

I've been hunting around google for the last 30 or so minutes and coming up empty handed.

Is there a max length on the HTTP User Agent header?

If I want to store this info in my database and use it as a tool to verify a session, how long does my database field need to be? I've got it set to a varchar(96) currently, but not sure if that is sufficient. Obviously, checking the user agent against whats stored in the DB will fail if the user agent is greater than 96 characters.

I could take a substr() of the clients user agent for comparison, but I dont believe that to be the best solution.

I've been looking at the HTTP RFC on w3.org. If you've got a better source, or I missed it in the doc, please let me know.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: HTTP Header Length

Post by flying_circus »

I did some quick tests and was able to feed a User Agent string of 12561 characters and I'm sure it could go more. I guess the substr() is the way to go. Why would you need to feed that length of a user agent string to the browser? Seems like it should be capped, no? I didnt test until failure, but it was getting un-reliable with a string length that large.
Post Reply