11

I'm using the "page speed" extension for Firebug to try to optimise a website and I'm currently working on the following suggestion: "Serve static content from a cookieless domain".

I have created a separate sub-domain for some content so that I have www.example.com and images.example.com but how do I specify that images.example.com is cookieless? Can I enforce that it is cookieless in a webserver such as Nginx or Apache or is it simply a matter of making sure not to set any cookies in this domain in the serverside code (e.g. PHP)?

The reason why I'm asking is because "Page Speed" is still showing the same recommendation even after I tried to fix it - so I guess some cookies must have slipped through. I can't see any cookies in my browser cookie search but if I examine the HTTP headers of the resource I can see:

Cookie  __utma=73051794.676740941.1271792323.1277710025.1277900715.20; __utmz=73051794.1271792323.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmx=73051794.00009825591030858779:3:0; __utmxx=73051794.00009825591030858779:2295429:2592000; __gads=ID=0a768e3407302ff8:T=1272608001:S=ALNI_MZ-GKhg3ETniU0TVftk0DdGyUypkQ

Anyone know how I can stop cookies from my sub-domain?

Tom
  • 4,157
  • 11
  • 41
  • 52

2 Answers2

14

Here is a useful article which also addresses how to use a cookieless sub-domain: http://www.ravelrumba.com/blog/static-cookieless-domain/.

In order to set up a cookieless subdomain you have to make sure that your server or application only sets cookies for www.example.com and not the top-level example.com. (Cookies set at the top-level domain apply to all subdomains as well.) How you go about this of course depends on your particular set-up. But two common cookie-setters are Google Analytics and WordPress. For Google Analytics, you have to set the "_setDomainName" value to your www domain. Like this:

_gaq.push(
    ['_setAccount', 'UA-xxxxxxx-1'],
    ['_setDomainName', 'www.example.com'],
    ['_trackPageview']
);
Tom
  • 4,157
  • 11
  • 41
  • 52
11

The cookies you mention are set by Google Analytics, they are usually set on a domain-wide basis to cover all subdomains.

Nginx cannot make a browser not send any cookies, there is not part of the HTTP specification that allows a web server to say it's not interested in cookies so a browser will always send them. Many of the biggest sites where this suggestion actually matters use a completely seperate domain for static files -- such as yimg.com for yahoo.

Martin Fjordvald
  • 7,589
  • 1
  • 28
  • 35