How To Use Cookie-Free Domains

use cookie-free domains

What Are HTTP Cookies?

HTTP cookies are small pieces of data that are sent from a website and stored in your browser. While a user is viewing a website that uses cookies, the cookies collect data pertaining to your website activity such as preferences, shopping cart items, which pages you visited, etc. Cookies are very valuable to many websites as they facilitate a better user experience and are key in performing certain functions such as determining whether or not a customer is logged in, and with which account.

Each subsequent time the user browses the same site, their browser sends the cookie to the website’s server thus providing it with the information that was set in the last request. There are three main uses for cookies including:

  • Session management
  • Personalization
  • Tracking

There are also various types of cookies available and can each be used in different scenarios.

Why Use Cookie-Free Domains?

Although cookies are very useful in some cases, in other cases – such as the delivery of static content, they can hinder performance. When a browser makes a request for a static asset such as an image or CSS file, there is no need for it to also send a cookie to the server. This only creates additional network traffic and since the files are static (they do not change) the server has no use for the added cookie.

When you use cookie-free domains you are able to separate the content that doesn’t require cookies from the content that does. This helps improve your site’s performance by elimination unneeded network traffic.

How To Use Cookie-Free Domains WordPress

If you set your cookies on a top-level domain (e.g. yourwebsite.com) all of your sub-domains (e.g. static.yourwebsite.com) will also include the cookies that are set. Therefore, in this case, it is required that you use a separate domain name to deliver your static content if you want to use cookie-free domains. However, if you set your cookies on a www subdomain such as www.yourwebsite.com, you can create another subdomain (e.g. static.yourwebsite.com) to host all of your static files which will no longer result in any cookies being sent.

The following steps outline how to use cookie-free domains in Wordpress:

  1. Create a subdomain such as static.yourwebsite.com which is where you will deliver all your static files from.
  2. Point your new subdomain to the /wp-content directory of your WordPress installation. For cPanel users, you will need to update the document root field from public_html/static to public_html/wp-content like the screenshot below. cpanel document root
  3. Edit your wp-config.php file to reflect the following:
    define("WP_CONTENT_URL", "http://static.yourwebsite.com"); 
    define("COOKIE_DOMAIN", "www.yourwebsite.com");
  4. Run the following command in your SQL database, this will ensure all post URLs are directed to the new subdomain:
    UPDATE wp_posts SET post_content = REPLACE(post_content,'www.yourwebsite.com/wp-content/','static.yourwebsite.com/')

Now that your cookie domain and static content subdomain are set, you can begin delivering static content without the server setting an unnecessary cookie for static assets.

Cookie-Free Domains and CDNs

You can also use a CDN to deliver your static assets and use cookie-free domains while at the same time benefiting from the features a CDN has to offer. With KeyCDN, once you have setup a Pull Zone and retrieved the zone url or Zonealias, you can simply integrate this into your chosen CMS or Framework.

KeyCDN provides the ability to ignore cookies as well as strip cookies which will completely prevent the client from receiving the Set-Cookie response header.

keycdn use cookie-free domains settings

With this setup, your static content is being delivered via the closest CDN edge server and cookies are automatically stripped ensuring there is no additional cookie latency. This is an easy alternative from moving and configuring your site to deliver static assets from a separate subdomain. With a CDN that strips cookies, you can easily deliver content without cookies while taking advantage of all the other benefits that a CDN has to offer.

YSlow Cookie Free Domain Caveats

If you have the strip cookies and cache cookies options enabled as shown above however when running your site through YSlow are still receiving a warning, this is due to a YSlow false-positive. As previously mentioned, if you set your cookies on the top-level domain (e.g. yourwebsite.com) all of your subdomains will also include the cookies that are set. This also includes your custom CDN URL if using one (e.g. cdn.yourwebsite.com).

However, as long as you have the strip cookies option enabled, even if you receive this warning it will be incorrect. YSlow does not take into consideration that the CDN actually strips the cookie and therefore may continue to throw the error. However, if you run a cURL command on the asset or check it within the Chrome Dev tools Network tab, you won’t see any Set-Cookie headers. Therefore this YSlow warning can be safely ignored.

Additionally, if you are using Cloudflare then you simply won’t be able to achieve 100 on YSlow. Cloudflare appends a __cfduid cookie to every request which cannot be removed due to security reasons.

19 Comments

  1. Andrew Traub

    I followed what you recommended for wordpress, and while the site worked (I had to also include some .htaccess in the wp-content folder to allow cross-site access to the fonts), ySlow still reports all the items as not being cookie-free.

    1. Eugene Kalashnikov

      Could you please try to clear all caches – Browser cache, every WordPress related cache, purge KeyCDN Zone cache, etc.

  2. Win Ner

    Thank you for this amazing article.
    Can you please me explain to me how to point mynew subdomain to the /wp-content directory of my WordPress installation?
    Thanks

  3. Enrico Maggiolo

    Thank’s for this guide!

    I’m a WP beginner and I don’t know if I understand properly what do you mean with “Point your new subdomain to the /wp-content directory of your WordPress installation”

    Can you give me more details please?

    Thank’s again

      1. Cody

        We’ve updated the article to show an example for cPanel users. You can also achieve this by defining it within your Apache or Nginx configuration file.

  4. dadan

    Hi and thanks for your article. just still don’t understand how can this can work for content that already exist and that is hosted in http://www.domain.com/wp-content/... have i also to manually move all static files to folders inside subdomain? i followed every step and after flushing every possible cache yslow doesn’t show any change 0%…it seems content is stil taken from same folders in root… 🙂

  5. Fernando Carranza

    I made those tips but the website has ssl certificate .. and has this conflict beetwen cross domains and the site is not loading the css or js … any suggestion ?

      1. baharm

        Thanks Cody
        My web server download is Apache and Set-Cookie header
        I put the following code in .htaccess but don’t work:

        RequestHeader unset Cookie
        Header unset Cookie
        Header unset Set-Cookie

        What is your solution?

        1. Cody Arsenault

          If you’re having issues setting it up on your origin you may want to consider using a CDN. This way you can easily ignore cookies using the Cache Cookies and Strip Cookies options.

  6. andrei

    Hello,

    I have a question. I pointed my upload and content folder to subdomain folder. But when I access the subdomain index like subdomain.domain.com it shows internal error. is this ok? should I do anything else to keep Google out of it or something? are these errors ok?

    1. Cody Arsenault

      As long as you can still access your assets via the subdomain you should be fine. Otherwise, I’d recommend setting up the CDN option as it’s much simpler.

      1. Tobias Alriksson

        Great, since I struggle with the issue that I can do the setup myself since I don’t use http://www.domain.com as the cookie domain. I will look into this and see if you´re good enough for other requirements.

        Thanks

Leave a Reply to Cody Arsenault Click here to cancel reply.