Official maximum size for a HTTP cookie header is 4K. So the actual cookie will be slightly smaller. Some browsers will work with bigger cookies, others won't.
A short cookie as a unique transaction-id, and the data in a temporary part of the database sounds a better approach. You never know what havoc a hacker can do if they start editing cookies that contain meaningful data.
Just remenber to have a daily (?) task that deletes abandoned carts -- otherwise your server's hard drives will one day overflow.