Cookie Scoping

Best practice is to serve static content without cookies attached.

To achieve this people generally split static content out to a cookie free domain.

Is there a way to serve both dynamic (with cookies) and static content (without cookies) from the same domain? ie. is it possible to scope cookies by resource as well as by domain/sub-domain?[hr]
Answering my own question (maybe I should have seached a little longer), it would seem that provision for this already exists by setting the ‘path’ attribute on the cookie.

Setting the path attribute to a subset of the urls being served by a domain allows for the tightening of the scope of a cookie.
So we can split the site like so:
Then limit the cookie to a domain of and a path of /dynamic

This should mean that browsers will not supply a cookie when requesting resources from

Are there any pitfalls (eg. lack of browser support) to using the path attribute on a cookie?

The path works fine across browsers but the problem comes when you want to use the cookie higher in the tree (say at your root for If you can partition all of your paths so all of the dynamic content is always in a subfolder then that would work fine.

With Coldfusion, you can have an Application.cfm file in multiple directories. I usually declare the cfapplication cookie settings in these files. If you have an Application.cfm file in your subdirectory that does not use cookies, then it may be possible that the cookie information is not passed when an image is accessed in the subdirectory. I know a file only reads the innermost Application.cfm file so if you had two files, one in your main directory and one in the image subdirectory, the one in your main directory would not get processed when you read a file in the image subdirectory. I usually use a subdirectory for static resources so cookie information is not passed in that situation.

Actually, the cookie path applies cookies to anything under the path so if a cookie is used at the top-level then even if your app doesn’t use it the browser is sending cookies for requests for your static content.

For example, if you set a cookie to /foo


/foo/bar/some_static_file - would get the cookies
/static/otherfile - would not get the cookies

This is why it becomes problematic because usually you want tthe cookies to be available for your base page at / which means that it would get applied to everythiong on the domain.

Ok so I guess its then down to a design choice for how the site is laid out then as it would be simple to 301 / to a subfolder such as home for the index page.

Hey Guys,

I want to explain myself a little further.

Test Page:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" ""> 
<html xmlns=""> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title>Untitled Document</title> 
<img src="searsCoupon.png" /> 

Exhibit A:
Exhibit B:

Exhibit A does not pass cookie information with the image and Exhibit B does do this. has an Application.cfm file at the root directory that includes this line that enables cookies on the website:

<cfapplication applicationtimeout="#createTimeSpan(0,1,0,0)#" clientmanagement="yes" name="#myAppName#" 
sessionmanagement="#sessionManagement#" sessiontimeout="#sessionTimeout#" clientstorage="cookie">

In the cookie1 directory, there is another Application.cfm file that is blank. However, it overrides the root directory Application.cfm file. Cookies never get set for Exhibit A because of this.

Travis Walters

Sort of but if you look at Exhibit B, the path for the cookies themselves is actually / so if you ever visit another page on the site (ANYWHERE), the cookie that was set in Exhibit B will be sent up with all requests (including for static content). It also means that any requests for static objects regardless of their path (if they are on the same domain) will include the cookies.

I think what your test shows is just the difference between two apps, one that sets cookies and one that doesn’t.