I've set up a specific subdomain on my server for static content -- images.example.com
I'd like to configure Apache to never let cookies be set on that domain. But I'm not sure where/how to do that. Please advise :-)
Thanks!
I've set up a specific subdomain on my server for static content -- images.example.com
I'd like to configure Apache to never let cookies be set on that domain. But I'm not sure where/how to do that. Please advise :-)
Thanks!
Using mod_headers (http://httpd.apache.org/docs/2.2/mod/mod_headers.html) you can manipulate all headers that Apache sends to the client. Something like
Header unset Set-Cookie
Inside the VirtualHost of your subdomain should do the trick.
I don't think apache can be the enforcer here. Even the RequestHeader unset option above will only happen after the client has sent the request with the cookie.
The key thing here the google page speed tool is noticing is that the client sends the cookie on the request. That means somewhere in your application you have set a domain.com cookie (so in effect, *.domain.com). You need to carefully only ever set www.domain.com (or whatever subdomain you're using) in your cookies code. Truthfully, most professional websites wind up with so many third party widgets and javascripts and browser calls that its easier to just abandon your "main" domain for this and setup a full second domain that will never ever have a cookie set on it. You can see facebook does this with fbcdn.net. Huffingtonpost.com does this with huffpost.com.