Cookie Scoping

calumfodder · July 13, 2010, 9:53am

Best practice is to serve static content without cookies attached.

To achieve this people generally split static content out to a cookie free domain.

Is there a way to serve both dynamic (with cookies) and static content (without cookies) from the same domain? ie. is it possible to scope cookies by resource as well as by domain/sub-domain?[hr]
Answering my own question (maybe I should have seached a little longer), it would seem that provision for this already exists by setting the ‘path’ attribute on the cookie.

Setting the path attribute to a subset of the urls being served by a domain allows for the tightening of the scope of a cookie.
So we can split the site like so:
my.example.com/dynamic
my.example.com/static
Then limit the cookie to a domain of my.example.com and a path of /dynamic

This should mean that browsers will not supply a cookie when requesting resources from my.example.com/static

Are there any pitfalls (eg. lack of browser support) to using the path attribute on a cookie?

pmeenan · July 13, 2010, 11:01am

The path works fine across browsers but the problem comes when you want to use the cookie higher in the tree (say at your root for http://www.mypage.com). If you can partition all of your paths so all of the dynamic content is always in a subfolder then that would work fine.

green-watch.org · July 13, 2010, 11:51am

With Coldfusion, you can have an Application.cfm file in multiple directories. I usually declare the cfapplication cookie settings in these files. If you have an Application.cfm file in your subdirectory that does not use cookies, then it may be possible that the cookie information is not passed when an image is accessed in the subdirectory. I know a file only reads the innermost Application.cfm file so if you had two files, one in your main directory and one in the image subdirectory, the one in your main directory would not get processed when you read a file in the image subdirectory. I usually use a subdirectory for static resources so cookie information is not passed in that situation.

pmeenan · July 13, 2010, 12:38pm

Actually, the cookie path applies cookies to anything under the path so if a cookie is used at the top-level then even if your app doesn’t use it the browser is sending cookies for requests for your static content.

For example, if you set a cookie to /foo

Then:

/foo/bar/some_static_file - would get the cookies
/static/otherfile - would not get the cookies

This is why it becomes problematic because usually you want tthe cookies to be available for your base page at / which means that it would get applied to everythiong on the domain.

calumfodder · July 13, 2010, 12:43pm

Ok so I guess its then down to a design choice for how the site is laid out then as it would be simple to 301 / to a subfolder such as home for the index page.
Thanks

green-watch.org · July 13, 2010, 4:22pm

Hey Guys,

I want to explain myself a little further.

Test Page:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title>Untitled Document</title> 
</head> 
 <body> 
<img src="searsCoupon.png" /> 
</body> 
</html>

Exhibit A: http://www.webpagetest.org/result/100713_1A3P/1/performance_optimization/
example.com/test/cookie1/test.cfm
Exhibit B: http://www.webpagetest.org/result/100713_1A3Y/1/performance_optimization/
example.com/test/cookie2/test.cfm

Exhibit A does not pass cookie information with the image and Exhibit B does do this.

Example.com has an Application.cfm file at the root directory that includes this line that enables cookies on the website:

<cfapplication applicationtimeout="#createTimeSpan(0,1,0,0)#" clientmanagement="yes" name="#myAppName#" 
sessionmanagement="#sessionManagement#" sessiontimeout="#sessionTimeout#" clientstorage="cookie">

In the cookie1 directory, there is another Application.cfm file that is blank. However, it overrides the root directory Application.cfm file. Cookies never get set for Exhibit A because of this.

Sincerely,
Travis Walters

pmeenan · July 13, 2010, 5:23pm

Sort of but if you look at Exhibit B, the path for the cookies themselves is actually / so if you ever visit another page on the site (ANYWHERE), the cookie that was set in Exhibit B will be sent up with all requests (including for static content). It also means that any requests for static objects regardless of their path (if they are on the same domain) will include the cookies.

I think what your test shows is just the difference between two apps, one that sets cookies and one that doesn’t.

Thanks,

-Pat

Topic		Replies	Views
Serving static content from a cookieless domain Optimization Discussions	14	149	May 9, 2012
Cookies and subdomain Optimization Discussions	5	127	November 4, 2011
Proper cookie usage Optimization Discussions	4	120	August 12, 2010
Setting up a separate domain just to "serve static content from a cookieless domain" Optimization Discussions	6	146	March 26, 2013
How to get rid of cookies (I'm on a CDN) Optimization Discussions	9	159	March 25, 2011

Cookie Scoping

Related Topics