What are HTTP cookies?
HTTP cookies are small pieces of data that are sent from a website and stored in your browser. While a user is viewing a website that uses cookies, the cookies collect data pertaining to your website activity such as preferences, shopping cart items, which pages you visited, etc. Cookies are very valuable to many websites as they facilitate a better user experience and are key in performing certain functions such as determining whether or not a customer is logged in, and with which account.
Each subsequent time the user browses the same site, their browser sends the cookie to the website’s server thus providing it with the information that was set in the last request. There are three main uses for cookies including:
- Session management
- Personalization
- Tracking
There are also various types of cookies available and can each be used in different scenarios.
Why use cookie-free domains?
Although cookies are very useful in some cases, in other cases – such as the delivery of static content, they can hinder performance. When a browser makes a request for a static asset such as an image or CSS file, there is no need for it to also send a cookie to the server. This only creates additional network traffic and since the files are static (they do not change) the server has no use for the added cookie.
When you use cookie-free domains you are able to separate the content that doesn’t require cookies from the content that does. This helps improve your site’s performance by eliminating unneeded network traffic.
How to use Cookie-Free Domains in Cloudflare?
Sad news, you can’t enable cookie-free domains in Cloudflare (unless you’re in Enterprise plan). Here is what Cloudflare says:
Enterprise customers may request to disable the _cfduid cookie by contacting Cloudflare Support, but Cloudflare’s ability to detect and mitigate the impact of malicious visitors to a Customer’s website will be significantly impacted. While some speed recommendations suggest eliminating cookies for static resources, the performance implications are minimal
Cloudflare
How to use cookie-free domains in WordPress
If you set your cookies on a top-level domain (e.g. yourwebsite.com) all of your subdomains (e.g. static.yourwebsite.com) will also include the cookies that are set. Therefore, in this case, it is required that you use a separate domain name to deliver your static content if you want to use cookie-free domains. However, if you set your cookies on a www subdomain such as www.yourwebsite.com, you can create another subdomain (e.g. static.yourwebsite.com) to host all of your static files which will no longer result in any cookies being sent.
The following steps outline how to use cookie-free domains in WordPress:
- Create a subdomain, such as
static.yourwebsite.com, which is where you will deliver all your static files from. - Point your new subdomain to the
/wp-contentdirectory of your WordPress installation. For cPanel users, you will need to update the document root field frompublic_html/statictopublic_html/wp-contentlike the screenshot below.
- Edit your
wp-config.phpfile to reflect the following:define("WP_CONTENT_URL", "http://static.yourwebsite.com"); define("COOKIE_DOMAIN", "www.yourwebsite.com"); - Run the following command in your SQL database, this will ensure all post URLs are directed to the new subdomain:
UPDATE wp_posts SET post_content = REPLACE (post_content,'www.yourwebsite.com/wp-content/','static.yourwebsite.com/')
You can invert the database setting by reversing of the above code:
UPDATE wp_posts SET post_content = REPLACE (post_content,'static.yourwebsite.com/','www.yourwebsite.com/wp-content/')
Now that your cookie domain and static content subdomain are set, you can begin delivering static content without the server setting an unnecessary cookie for static assets.
Due to nonstandard themes and plugin coding, you may see some errors on loading of wordpress fonts and icons. Therefore, add the following code intor .htaccess file of your wordpress.
<IfModule mod_headers.c>
<FilesMatch “.(svg|ttf|otf|eot|woff|woff2)$”> Header set Access-Control-Allow-Origin “*” </FilesMatch>
</IfModule>
Cookie-free domains and CDNs
You can also use a CDN to deliver your static assets and use cookie-free domains while at the same time benefiting from the features a CDN has to offer. With KeyCDN, once you have setup a Pull Zone and retrieved the Zone URL or Zone Alias, you can simply integrate this into your chosen CMS or Framework.
KeyCDN provides the ability to ignore cookies through the Cache Cookies setting. The Strip Cookies settings prevents the client from receiving the Set-Cookie response header.
If both settings are enabled, your static content is being delivered via the closest CDN edge server and cookies are automatically stripped ensuring there is no additional cookie latency. This is an easy alternative from moving and configuring your site to deliver static assets from a separate subdomain. With a CDN that strips cookies, you can easily deliver content without cookies while taking advantage of all the other benefits that a CDN has to offer.
YSlow cookie-free domain caveats
If you have the strip cookies and cache cookies options enabled as shown above however when running your site through YSlow are still receiving a warning, this is due to a YSlow false-positive. As previously mentioned, if you set your cookies on the top-level domain (e.g. yourwebsite.com) all of your subdomains will also include the cookies that are set. This also includes your custom CDN URL if using one (e.g. cdn.yourwebsite.com).
Additionally, if you are using Cloudflare then you simply won’t be able to achieve 100 on YSlow. Cloudflare appends a __cfduid cookie to every request which cannot be removed due to security reasons.
https://www.keycdn.com/support/how-to-use-cookie-free-domains
In BunnyCDN, it as simple as toggling a button:
Pricing of BunnyCDN is also very cheap. If your site has decent traffic, the cost will be <$10 per year.
https://wpspeedmatters.com/cookie-free-domain-in-cloudflare/
