: How do I set up a cookie-less domain? I've read that it's best to serve static content (css, javascript, etc.) from a cookie-less domain or subdomain for better performance. I assume a domain

@Marchetta884

How do I specify that I don't want to use cookies?


It's not about what you need to do to have a cookieless domain - it's more about what you need to not do... To have a cookieless domain you have to make sure your application running on that domain doesn't set any cookies. This usually means not having logins, not having google analytics, not having sessions - i.e just serving media and nothing else. Obviously this depends on your setup.

One mistake I made recently was that I didn't make the distinction between a domain and a sub-domain. I started serving all my media from media.example.com thinking it was a cookieless domain but actually it is a sub-domain and I found many of my cookies from the main site www.example.com where being set at a domain level and therefore polluting my suppossedly cookieless sub-domain. Here is the link for how I solved that problem: serverfault.com/questions/160210/nginx-serve-static-content-from-a-cookieless-domain

Vote Up Vote Down

@BetL925

When things like YSlow and Page Speed tell you to set up cookie-less domains, what they actually mean is serve media from a domain where you won't be setting any, or have not set any (globally) in the past. Sometimes this can be accomplished by using sub-domains, such as media.domain.com, or static.domain.com, however if you set a cookie on domain.com that applies to the domain as a whole – a cookie for *.domain.com – then this cookie will be sent by the client back to the server on every request for every domain associated with domain.com. This includes all sub-domains.

The global cookie becomes an issue if you decide to forgo the use of on your domains. Without a specific sub-domain to set a cookie for, all cookies must be set for *.domain.com in order for them to work.

This global cookie issue is why you will see static media served from places like ytimg.com on YouTube. ytimg.com will never serve dynamic content that can set cookies, which means no cookie for will ever be sent from the client back to the server when these domains are part of HTTP requests.

If you are certain that you will never have a cookie set for *.domain.com then you can use a sub-domain for your needs. Be aware that most of the time if you integrate with another site or service via Javascript, they will set global domain cookies.

In Apache (and I'm sure every other webserver) you can set or unset headers before requests are answered. This will not fix the issue of the client sending the cookie to your server, but it will keep your domains from ever sending or initially setting cookies. Only a problem if you serve content that isn't static from your cookie-less domains, which defeats their purpose.

Header unset Cookie
Header unset Set-Cookie


This will unset the headers for existing cookies and for creating new cookies. Again, only an issue if you serve content from your static domains that could potentially set a cookie. Place this in your site or virtualhost's configuration (which depending on your OS, server, and version could be any number of places).

Vote Up Vote Down