Stopping cookies being set from a domain (aka "cookieless domain") to increase site performance

I was reading in Google's documentation about improving site speed. One of their recommendations is serving static content (images, css, js, etc.) from a "cookieless domain":

Static content, such as images, JS and CSS files, don't need to be accompanied by cookies, as there is no user interaction with these resources. You can decrease request latency by serving static resources from a domain that doesn't serve cookies.

Google t开发者_开发百科hen says that the best way to do this is to buy a new domain and set it to point to your current one:

To reserve a cookieless domain for serving static content, register a new domain name and configure your DNS database with a CNAME record that points the new domain to your existing domain A record. Configure your web server to serve static resources from the new domain, and do not allow any cookies to be set anywhere on this domain. In your web pages, reference the domain name in the URLs for the static resources.

This is pretty straight forward stuff, except for the bit where it says to "configure your web server to serve static resources from the new domain, and do not allow any cookies to be set anywhere on this domain". From what I've read, there's no setting in IIS that allows you to say "serve static resources", so how do I prevent ASP.NET from setting cookies on this new domain?

At present, even if I'm just requesting a .jpg from the new domain, it sets a cookie on my browser, even though our application's cookies are set to our old domain. For example, ASP.NET sets an ".ASPXANONYMOUS" cookie that (as far as I'm aware) we're not telling it to do.

Apologies if this is a real newb question, I'm new at this!

Thanks.

This is how I've done in my website:

1. Setup a website on IIS with an ASP.NET application pool
2. Set the binding host to your.domain.com
   • Note: you cannot use domain.com or else the sub-domain will not be cookieless
3. Create a folder on the website called Static
4. Setup another website, point it to Static folder created earlier.
5. Set the binding host to static.domain.com
6. Use an application pool with unmanaged code
7. On the settings open Session State and check Not enabled.

Now you have a static website. To setup open the web.config file under Static folder and replace with this one:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.web>
    <sessionState mode="Off" />
    <pages enableSessionState="false" validateRequest="false" />
    <roleManager>
      <providers>
        <remove name="AspNetWindowsTokenRoleProvider" />
      </providers>
    </roleManager>
  </system.web>
  <system.webServer>
    <staticContent>
      <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" />
    </staticContent>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

This is going to cache the files for 30 days, remove a RoleManager (I don't know if it changes anything but I removed all I could find), and remove an item from Response Headers.

But here is a problem, your content will be cached even when a new version is deployed, so to avoid this I made an helper method for MVC. Basically you have to append some QueryString that will change every time you change these files.

default.css?v=1   ?v=2  ...

My MVC method gets the last write date and appends on the file url:

public static string GetContent(this UrlHelper url, string link)
{
    link = link.ToLower();

    // last write date ticks to hex
    var cacheBreaker = Convert.ToString(File.GetLastWriteTimeUtc(url.RequestContext.HttpContext.Request.MapPath(link)).Ticks, 16);

    // static folder is in the website folders, but instead of
    // www.domain.com/static/default.css I convert to
    // static.domain.com/default.css
    if (link.StartsWith("~/static", StringComparison.InvariantCultureIgnoreCase))
    {
        var host = url.RequestContext.HttpContext.Request.Url.Host;
        host = String.Format("static.{0}", host.Substring(host.IndexOf('.') + 1));

        link = String.Format("http://{0}/{1}", host, link.Substring(9));

        // returns the file URL in static domain
        return String.Format("{0}?v={1}", link, cacheBreaker);
    }

    // returns file url in normal domain
    return String.Format("{0}?v={1}", url.Content(link), cacheBreaker);
}

And to use it (MVC3 Razor):

<link href="@Url.GetContent("~/static/default.css")" rel="stylesheet" type="text/css" />

If you are using another kind of application you can do the same, make a method that to append HtmlLink on the page.

If you don't write cookies from domain, the domain will be cookie-less.

When the domain is set to host only resource content like scripts, images, etc., they are requested by plain HTTP-GET requests from browsers. These contents should be served as-is. This will make your domain cookieless. This cannot be done by web-server configuration. Http is completely state-less and web-servers have no idea about the cookies at all. Cookies are written or sent to clients via server-side scripts. The best you can do is disable asp.net, classic-asp or php script capabilities on the IIS application.

The way we do it is.

We have a sub-domain setup to serve cookie-less resources. So we host all our images and scripts on the sub-domain. and from the primary application we just point the resource by it's url. We make sure sub-domain remains cookie-free by not serving any dynamic script on that domain or by creating any asp.net or php sessions.

http://cf.mydomain.com/resources/images/*.images
http://cf.mydomain.com/resources/scripts/*.scripts
http://cf.mydomain.com/resources/styles/*.styles

from primary domain we just refer a resource as following.

<img src="http://cf.mydomain.com/resources/images/logo.png" />

Serving resources from Cookie-less domains is great technique if you have more than 5 of combined images/styleshees/javascript then its benefit is noticeable and is gain even with that extra DNS lookup. Also its very easy to implement :). There's how you can easily set it in web.config[system.web] and have completely cookieless subdomain (unless its cookie-fested by Google Analytics but thats easily curable as well) :)

<!-- anonymousIdentification configuration:
                    enabled="[true|false]"                              Feature is enabled?
                    cookieName=".ASPXANONYMOUS"                         Cookie Name
                    cookieTimeout="100000"                              Cookie Timeout in minutes
                    cookiePath="/"                                      Cookie Path
                    cookieRequireSSL="[true|false]"                     Set Secure bit in Cookie
                    cookieSlidingExpiration="[true|false]"              Reissue expiring cookies?
                    cookieProtection="[None|Validation|Encryption|All]" How to protect cookies from being read/tampered
                    domain="[domain]"                                   Enables output of the "domain" cookie attribute set to the specified value
                -->

To give you example

<anonymousIdentification enabled="true" cookieName=".ASPXANONYMOUS" cookieTimeout="100000" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="None" domain="www.domain." />

This will set .ASPXANONYMOUS cookie only on www.domain.anyTLD but not myStatic.domain.anyTLD ... no need to create new pools and stuff :).

If you aren't using that cookie, in any way, you could just disable session state in IIS 6: http://support.microsoft.com/kb/244465

In IIS, go to the Home Directory tab, then click the "Configuration" button.

Next go to the Options tab and un-check "Enable session state". The cookie will go away, and you can leave your files where they are with no need for an extra domain or sub-doamin.

Plus, by using additional domains, you increase dns lookups, which partially defeats the intent of the overall optimization.