Reputation: 91666
Is there a way to control which URLs a cookie gets sent to?
My session cookie is somewhat long (about 700 bytes), since it contains various encrypted user information and what not. There's some things I can do to get that size down, and I'm working on that angle too, but that's another topic.
My issue is that I don't like how this cookie gets sent to the server on every single HTTP request; including requests to JPG images, CSS files, and static Javascript files. Since the cookie isn't needed on these requests, I feel it might slow down page load times since this is 700 bytes x the number of resources the page loads. Obviously, these files get cached and what not but still I'd like my pages to load and quickly and smoothly as possible.
The one solution I can think of is to put all my static content on another sub-domain, such as cdn.myserver.com/images/ and cdn.myserver.com/scripts/, and set the cookie-path to only include www.myserver.com. I believe this would work, but it complicates dev and staging environments. I'd probably end up having to generate URLs dynamically depending on what environment the code was being run in.
My Question:
Besides the solution above, is there any way to prevent cookies from being sent across the wire for certain HTTP requests, such as image, script and style resources?
I'm running on the .NET stack, with IIS7.5 as a web server.
Upvotes: 1
Views: 126
Answers (2)
Reputation: 681
As I know the only solution is using the cookieless domain or sub-domain which you has mentioned. but remember that domain or sub-domain should be Canonical DNS Name pointed to your main domain.
For easing the development and staging environments, I recommend you to use CombineAndMinify Component along with your ASP.net project, so it will fulfill your need in the background, and it also has some other features you may like to use them.
In addition it has debug|release mode, so you can bypass it when you are debugging.
Upvotes: 1
Reputation: 74550
There isn't anything you can do from a server perspective; by the time your server (IIS) or your framework (ASP.NET, or other) has received the request, the cookies have already been sent.
What you mentioned will absolutely work, quoting RFC 2109 ("HTTP State Management Mechanism") (emphasis mine):
Hosts names can be specified either as an IP address or a FQHN string. Sometimes we compare one host name with another. Host A's name domain-matches host B's if
- both host names are IP addresses and their host name strings match exactly; or
- both host names are FQDN strings and their host name strings match exactly; or
- A is a FQDN string and has the form NB, where N is a non-empty name string, B has the form .B', and B' is a FQDN string. (So, x.y.com domain-matches .y.com but not y.com.)
Note that domain-match is not a commutative operation: a.b.c.com domain-matches .c.com, but not the reverse.
So creating a separate sub-domain, while specifically keying your cookies to a different sub-domain will work.
Note that it's commonly accepted practice to do this in order to increase page speed and Stack Overflow has been doing this since late 2009.
In order to reduce the complexity of your staging and dev environments, I recommend following this lead; having the content on a separate domain means that you don't have to do anything different for any of those environments.
Upvotes: 3
Related Questions
- How to set cookie path in asp.net mvc
- Is it possible to set a page specific cookie?
- IIS rewrite how to intercept a set cookie value
- ASP.NET Session Cookies - specifying the base domain
- how to maintaine cookies in between two Url's in asp.net
- How to determine .NET cookie path
- Cookies in ASP.Net
- ASP.NET - Is it possible to block cookies declaratively in an aspx page?
- Limiting ASP.Net cookies to application
- Cookies in ASP.NET