How to Use Cookie-Free Domains
What are HTTP cookies?
Each subsequent time the user browses the same site, their browser sends the cookie to the website’s server thus providing it with the information that was set in the last request. There are three main uses for cookies including:
- Session management
There are also various types of cookies available and can each be used in different scenarios.
Why use cookie-free domains?
Although cookies are very useful in some cases, in other cases - such as the delivery of static content, they can hinder performance. When a browser makes a request for a static asset such as an image or CSS file, there is no need for it to also send a cookie to the server. This only creates additional network traffic and since the files are static (they do not change) the server has no use for the added cookie.
When you use cookie-free domains you are able to separate the content that doesn’t require cookies from the content that does. This helps improve your site’s performance by eliminating unneeded network traffic.
How to use cookie-free domains in WordPress
If you set your cookies on a top-level domain (e.g.
yourwebsite.com) all of your subdomains (e.g.
static.yourwebsite.com) will also include the cookies that are set. Therefore, in this case, it is required that you use a separate domain name to deliver your static content if you want to use cookie-free domains. However, if you set your cookies on a
www subdomain such as
www.yourwebsite.com, you can create another subdomain (e.g.
static.yourwebsite.com) to host all of your static files which will no longer result in any cookies being sent.
The following steps outline how to use cookie-free domains in WordPress:
- Create a subdomain, such as
static.yourwebsite.com, which is where you will deliver all your static files from.
- Point your new subdomain to the
/wp-contentdirectory of your WordPress installation. For cPanel users, you will need to update the document root field from
public_html/wp-contentlike the screenshot below.
wp-config.phpfile to reflect the following:
define("WP_CONTENT_URL", "http://static.yourwebsite.com"); define("COOKIE_DOMAIN", "www.yourwebsite.com");
Run the following command in your SQL database, this will ensure all post URLs are directed to the new subdomain:
UPDATE wp_posts SET post_content = REPLACE(post_content,'www.yourwebsite.com/wp-content/','static.yourwebsite.com/')
Now that your cookie domain and static content subdomain are set, you can begin delivering static content without the server setting an unnecessary cookie for static assets.
Cookie-free domains and CDNs
You can also use a CDN to deliver your static assets and use cookie-free domains while at the same time benefiting from the features a CDN has to offer. With KeyCDN, once you have setup a Pull Zone and retrieved the Zone URL or Zone Alias, you can simply integrate this into your chosen CMS or Framework.
KeyCDN provides the ability to ignore cookies through the Cache Cookies setting. The Strip Cookies settings prevents the client from receiving the
Set-Cookie response header.
If both settings are enabled, your static content is being delivered via the closest CDN edge server and cookies are automatically stripped ensuring there is no additional cookie latency. This is an easy alternative from moving and configuring your site to deliver static assets from a separate subdomain. With a CDN that strips cookies, you can easily deliver content without cookies while taking advantage of all the other benefits that a CDN has to offer.
YSlow cookie-free domain caveats
If you have the strip cookies and cache cookies options enabled as shown above however when running your site through YSlow are still receiving a warning, this is due to a YSlow false-positive. As previously mentioned, if you set your cookies on the top-level domain (e.g.
yourwebsite.com) all of your subdomains will also include the cookies that are set. This also includes your custom CDN URL if using one (e.g.
However, as long as you have the Strip Cookies setting enabled in KeyCDN, even if you receive this warning it will be incorrect. YSlow does not take into consideration that the CDN actually strips the cookie and therefore may continue to throw the error. However, if you run a curl command on the asset or check it within the Chrome DevTools Network panel, you won’t see any
Set-Cookie headers. Therefore this YSlow warning can be safely ignored.
Additionally, if you are using Cloudflare then you simply won’t be able to achieve 100 on YSlow. Cloudflare appends a
__cfduid cookie to every request which cannot be removed due to security reasons.