I've set up a sub-domain on my server that serves css and images (to avoid cookies). The 1st time the page loads, everything is fine. The 2nd time however, I see that the css and images contain cookies. Is there something I'm missing?
EDIT: Solution found, the following text clarifies the issue.
Restricting google analytics to my main domain prevented subsequent cookie requests to my static subdomain (images, css, etc.). 2nd topic on this web page.
It's hard to answer your question without knowing what http server you're using, etc. The best way to figure out how the cookies are being created is to figure out what cookies are being returned.
For instance, PHP (by default) stores the session ID in the cookie PHPSESSID. If you're making a new HTTP request (without sending a PHPSESSID in your initial request) and it's returning a PHPSESSID, then that would mean PHP is obviously the culprit. Since I doubt you're retrieving the images and CSS files through a PHP script that initializes a new session, it would show that PHP is configured to initialize sessions automatically via the session.auto_start PHP configuration variable.
I found that setting up a separate static domain took away all the hassle of ensuring cookies didn't creep into the main domain. Exactly like how stackoverflow uses http://sstatic.net/, I created http://cnstatic.com/ for my own site/blog.
