I've read that it's best to serve static content (css, javascript, etc.) from a cookie-less domain or subdomain for better performance. I assume a domain is not cookie-less by default. How do I specify that I don't want to use cookies?
Asked
Active
Viewed 2.1k times
3 Answers
26
When things like YSlow and Page Speed tell you to set up cookie-less domains, what they actually mean is serve media from a domain where you won't be setting any, or have not set any (globally) in the past. Sometimes this can be accomplished by using sub-domains, such as media.example.com, or static.example.com, however if you set a cookie on example.com that applies to the domain as a whole – a cookie for *.example.com – then this cookie will be sent by the client back to the server on every request for every domain associated with example.com. This includes all sub-domains.
The global cookie becomes an issue if you decide to forgo the use of www. on your domains. Without a specific sub-domain to set a cookie for, all cookies must be set for *.example.com in order for them to work.
This global cookie issue is why you will see static media served from places like ytimg.com on YouTube. ytimg.com will never serve dynamic content that can set cookies, which means no cookie for will ever be sent from the client back to the server when these domains are part of HTTP requests.
If you are certain that you will never have a cookie set for *.example.com then you can use a sub-domain for your needs. Be aware that most of the time if you integrate with another site or service via JavaScript, they will set global domain cookies.
In Apache (and I'm sure every other webserver) you can set or unset headers before requests are answered. This will not fix the issue of the client sending the cookie to your server, but it will keep your domains from ever sending or initially setting cookies. Only a problem if you serve content that isn't static from your cookie-less domains, which defeats their purpose.
Header unset Cookie
Header unset Set-Cookie
This will unset the headers for existing cookies and for creating new cookies. Again, only an issue if you serve content from your static domains that could potentially set a cookie. Place this in your site or virtualhost's configuration (which depending on your OS, server, and version could be any number of places).
Stephen Ostermiller
- 99,822
- 18
- 143
- 364
Bryson
- 2,480
- 16
- 23
6
How do I specify that I don't want to use cookies?
It's not about what you need to do to have a cookieless domain - it's more about what you need to not do... To have a cookieless domain you have to make sure your application running on that domain doesn't set any cookies. This usually means not having logins, not having google analytics, not having sessions - i.e just serving media and nothing else. Obviously this depends on your setup.
One mistake I made recently was that I didn't make the distinction between a domain and a sub-domain. I started serving all my media from http://media.example.com thinking it was a cookieless domain but actually it is a sub-domain and I found many of my cookies from the main site http://www.example.com where being set at a domain level and therefore polluting my suppossedly cookieless sub-domain. Here is the link from Server Fault for how I solved that problem: Nginx - Serve static content from a cookieless domain
Stephen Ostermiller
- 99,822
- 18
- 143
- 364
Tom
- 1,523
- 2
- 14
- 18
3
How do I specify that I don't want to use cookies?
You don't have to specify that you don't want to use cookies, you just don't use them.