What oxone said: cookies can't be long enough to cause problems; a bad or random id will find nothing in your DB. You are in the right neighborhood for a real problem though. If you have a POST form -- GET, again, typically has limits configured in the webserver to the size it will accept -- someone could POST form fields with megabytes of data. In CGI.pm you can help prevent this kind of attack with $CGI::POST_MAX=1024 * 100;  # max 100K posts, you can check the request body length manually, and it can be set in most webservers' configs too. Then again, one could just write an LWP::Parallel::UserAgent script in about 10 lines that would work quite well as a DoS against just about any small site. That requires access based throttling, or denial, to combat.