6

I've set up a specific subdomain on my server for static content -- images.example.com

I'd like to configure Apache to never let cookies be set on that domain. But I'm not sure where/how to do that. Please advise :-)

Thanks!

  • If it is a static content, then how would it get the cookies? Cookies are usually added by dynamic content providers, like a PHP script. Some Apache modules can also emit their cookies, I guess, but that would be also kind of dynamic content. If you are bothered by a specific cookie added by some Apache module, then show it, so we can say what the module might have generated that. – Jacek Konieczny Mar 02 '10 at 19:36
  • Hey -- thanks for the note. Maybe I'm getting invalid data here. The Firebug "page speed" plugin is suggesting I serve static content from a domain that doesn't set cookies, and specifically mentions this file: http://www.flashlightworthybooks.com/styles.css But it doesn't appear to actually be sending a cookie back with the style sheet. Do you see what I mean? –  Mar 02 '10 at 20:33
  • p.s. here's a screen shot of what the tool is showing me; it seems to think that cookies are coming along with my style sheets and images as well. http://screencast.com/t/NzQ4YWE0OG –  Mar 02 '10 at 20:35

2 Answers2

5

Using mod_headers (http://httpd.apache.org/docs/2.2/mod/mod_headers.html) you can manipulate all headers that Apache sends to the client. Something like

Header unset Set-Cookie

Inside the VirtualHost of your subdomain should do the trick.

Lukas Loesche
  • 970
  • 1
  • 7
  • 11
5

I don't think apache can be the enforcer here. Even the RequestHeader unset option above will only happen after the client has sent the request with the cookie.

The key thing here the google page speed tool is noticing is that the client sends the cookie on the request. That means somewhere in your application you have set a domain.com cookie (so in effect, *.domain.com). You need to carefully only ever set www.domain.com (or whatever subdomain you're using) in your cookies code. Truthfully, most professional websites wind up with so many third party widgets and javascripts and browser calls that its easier to just abandon your "main" domain for this and setup a full second domain that will never ever have a cookie set on it. You can see facebook does this with fbcdn.net. Huffingtonpost.com does this with huffpost.com.

cagenut
  • 4,808
  • 2
  • 23
  • 27