how big can you make a JWT?

i’ve had a lot of JWT related discussions at work lately and today I wondered how big is too big for a JWT to fit through an HTTP header. The HTTP spec doesn’t really impose a limit but most servers do set a limit that range between 8K – 16K bytes.

I figured I can whip up a quick jwt generator to get a rough sense of how big JWT’s can get!

for simplicity I made the key value pairs small strings (these will vary in real life of course) and defined a byte limit of 8K. Also to save battery I increased the key counts exponentially 😀

ok here’s the script. can you guess what the key limit is using back of napkin calc?

require "jwt"
byte_limit = 8000
bytesize = 0
key_count = 1
rsa_private = OpenSSL::PKey::RSA.generate 2048
while bytesize < byte_limit
  payload = {}
  key_count.times do |i|
    payload["foo_#{i.to_s}"] = "bar"
  end
  token = JWT.encode payload, rsa_private, 'RS256'
  bytesize = token.bytesize
  puts "bytesize: #{bytesize}, key_count: #{key_count}"
  key_count *= 2
end

And here’s the output:

bytesize: 384, key_count: 1
bytesize: 403, key_count: 2
bytesize: 440, key_count: 4
bytesize: 515, key_count: 8
bytesize: 672, key_count: 16
bytesize: 992, key_count: 32
bytesize: 1632, key_count: 64
bytesize: 2950, key_count: 128
bytesize: 5680, key_count: 256
bytesize: 11142, key_count: 512

so with 512 keys we exceeded 8K bytes ~

what’s the deal with third party cookies phase out?

chrome is planning on phasing out support for third party cookies in 2024.

Third-party cookies, also known as cross-site cookies, are cookies set by a website other than the one you are currently on. For example, cnn.com might have a Facebook like button on their site. The like button will set a cookie that can be read by Facebook.

https://support.mozilla.org/en-US/kb/third-party-cookies-firefox-tracking-protection

these cookies are a big deal for big tech because they’re the primary enabler of web tracking and advertising. if you work for a tech company that relies on digital ads, chances are they depend on third party cookies for those ads to follow you around the web.

cookie basics

when a browser issues a request to example.com, example.com can set a cookie on the browser under the domain example.com by responding to the request with a set-cookie response header.

once the cookie is saved, if the browser makes additional requests to example.com again in the future, the cookie under the matching domain will be forwarded back to the server.

because HTTP is a stateless protocol, it’s this cookie behavior that allows websites to “remember” its clients.

now, whether a cookie is first party or third party depends on the domain you’re currently on. if the cookie domain is the same as the current domain you’re on (in your browsers address bar), this is a first party cookie. The cookie belongs to the domain. every other cookie set by other domains is third party. so whether a cookie is first party or not depends on two things:

  1. The domain of the cookie
  2. The current domain of the page

if i’m on example.com, all the cookies set under example.com are first party. the browser may contain other cookies, saved under other domains like yahoo.com or wikipedia.org. those are all third party!

so from a user perspective, a cookie isn’t first party in an absolute sense. if the user visits a different site under a different domain, the same cookie is no longer considered first party. so again, the site you’re currently on according to the browser determines whether a cookie is considered first party or third party.

issue with third party cookies

so remember how a website can set cookies under its own domain? well, turns out they can also indirectly set cookies under other (third party) domains! all thanks to the magic of

HTML documents can contain many references / links to resources on other domains. every <img src...> or <link ...> or <script src...> is basically a GET request to another server that may live under different domains than the one you’re currently on!

those third party servers i.e myspace.com and xanga.com can also set cookies under their domain. the browser doesn’t really make a distinction between a request you made directly by typing in example.com in the address bar versus ones that are fired as a result of HTML rendering.

as a result, the same website you’re visiting transmits its own cookies AND cookies from other websites. some of those websites may even be… ad networks that set cookies for purposes of analytics and tracking.

this basic auto storage and transmission behavior of cookies combined with the hyperlinking nature of web sites is at the core of how ad tech works.

if you’re an advertiser, third party cookie data allows you to learn about visitor behaviors, such as websites they frequently visits and recent purchases and target them with ads

real world scenario time

here’s a real example that i’ve researched and verified myself.

hypothetically speaking, lets say bob is researching a rice cooker on amazon.com. bob sees one he likes, but feels overwhelmed so gives up and decides to go bake cookies instead

bob then visits a site with a cookie recipe and sees an advertisement for the same rice cooker he was looking at earlier. since bobs not on an amazon-owned site but is seeing amazon related ads, this advertisement was triggered by a transmission of third-party cookie data.

the third party domain in this case is amazons advertising network. amazon has an advertising network similar to Google’s doubleclick.

here’s an example of a real cookie that’s set by the ad network when you visit amazon.com:

Set-Cookie:

ad-privacy=0; Domain=.amazon-adsystem.com; Expires=Sun, 01-Oct-2028 14:16:44 GMT; Path=/; Secure; HttpOnly; SameSite=None

when a page on amazon loads, it makes additional requests to the amazon ad network. the ad network sets this very long-lived cookie (at the time of writing, that date is more than 4 years into the future) that will be used to track your behavior. for the next 4 years, this cookie data will be forwarded to any request to the amazon ad networks domain .amazon-adsystem.com.

a quick aside about ad networks

there’s three primary groups involved in an ad network

  1. sellers that have something to sell (companies selling rice cookers on amazon.com) and want their products to be advertised as widely and cheaply as possible and
  2. those who want to make money by showing ads (content creators, bloggers, etc). amazon calls those that want to show ads through their web content associates.
  3. consumers / buyers / site visitors

the value of an ad network is proportional to the size of these groups. if there are no consumers or buyers, there’s nobody to sell to. if there are no content creators / youtubers, ads are limited in their reach. if there are no sellers… well, then there are probably no ads either!

back to bob

now that the third party cookie from the ad network is set, when bob visits a recipe site that’s also part of the ad network, he’s going to load a third party tracking script (also known as pixels) from .amazon-adsystem.com that receives the cookie that’s set, looks up the user by ID on the amazon servers, and serves a targeted ad based on the information the ad network has on the user identified by the cookie.

over time, these scripts loaded by sites that are affiliated with the ad network continue to track bobs behavior through the long lived cookie for as long as they’re loaded and transmit the data back to the ad network. this builds a rich representation of bob as a consumer for re-targeting purposes.

with the “end” to third party cookies, this basic mechanism is threatened. the recipe site will be restricted to only transmitted first party (its own) cookies. cookies previously set by an ad network (from a users visit to amazon.com properties) will not be transmitted behind the scenes for ad retargeting.

i should mention that most browsers do give you the option now of disabling third party cookies. yes even chrome. here’s what i see if i click into my chrome settings. as you would expect, third party cookies right now are allowed by default. i recommend turning that off.

so no more ads following me around in future?

while this looks like a positive direction for data privacy, it’s definitely not the end for ad retargeting. remember that big tech makes an ungodly amount of money from their advertising platforms and it’s not in their interest to kill their golden goose.

the current google led proposal to replace third party cookies in chrome is called the privacy sandbox initiative. a major part of this initiative is to offer users more control over how their data gets shared. i’m going to be reading more on this in the future and write about it on another post.