We run over a hundred web applications (growing daily) on a LAMP stack using Apache2 on Ubuntu 10.04.
We've would like all requests to static content to be cookieless.
We host applications on many different domains, a majority of which as SaSS applications. Many of the domains host instances of the applications on sub domains, ie. myapp.example.com, myapp2.example.com myapp.otherexample.com etc..
At the moment all static content is server relative to the (sub)domain requesting it.
As far as I understand the process, I would need to setup a new domain, eg. staticexample.com.
In this case is special configuration in the virtual host for this domain required to ensure no cookies are served?
Also, would it be possible to instead use static.example.com?
In this case what configurations would I need in my virtual host for this subdomain to ensure no cookies are served?
When you setup a different domain (not subdomain) to serve static content it will be without cookies. The cookies are set by the application and not the webserver.
Example. yahoo uses yimg.com to serve static content. When a page on yahoo.com refers to a object on yimg.com the cookie of yahoo.com is not sent with the request sent to yimg.com domain because cookies of one domain can't be accessible by another.
I would suggest that you use static-example.com for serving static content instead of static.example.com. For this you wouldn't need to do anything special in the webserver for cookies. Configure the static-domain as you would a normal domain and start using it.
First, the easy part: DNS. All you need to do is create extra records that point to the server, whether you create them as CNAME records of an existing hostname, or A records pointing directly to the IP adrdress is up to you.
Second, the medium part: Apache. You don't explain what you're hosting or if you have virtual hosts already. The easiest solution is to turn virtual hosting off entirely (no VirtualHost or NameVirtualHost commands in your configuration at all, only a global-level DocumentRoot) which will make apache serve the exact same site no matter how the client connected. Otherwise, if you want to use different
DocumentRoot
s for different hostnames, you'll need to setNameVirtualHost
to something like*:80
, then create<VirtualHost *:80>
(must match NameVirtualHost's setting) records likeFinally, the hard part: Making it "cookieless". Domain-level cookies are sent to every site in that domain, so you must either buy a completely separate domain (say, staticexample.com) or else force everyone to use "www.example.com" and issue cookies valid only on "www.example.com" in your application. The forcing part can be done with
Fixing the cookies in your application is up to you. For example, see the $domain field of PHP's setcookie() function.
If you go with the separate domain, then instead of the above redirect, you could add a
ServerAlias example.com
line to the www.example.com VirtualHost.