Is it possible cookie free directory in apache.conf?

1
votes

I have a website, the cookie did sent with every request, including images, javascript, css, this is unecessary. I'd solved this issue creating a virtualhost for load the static resources, the cookie is setted only in main domain.

Well.. Now i've setted up non-wildcard ssl in server, only for main domain, the resources in subdomain had not been displayed, it causes a security issue. I was forced to load the images from the main domain again.

Is it possible produce the same cookiefree domain effect using only one domain? Like a Directory config?

1
performanceapachecookiesapache2pagespeed
Is is that big of a deal that the browser sends cookies on these requests? What problem are you trying to solve?Mike Brant

1 Answers

0
votes

I don't know if this is possible nor how to do this with Apache directives. But AFAICT you would need to set the path attribute in the Set-Cookie HTTP header. For example, something like:

Set-Cookie: FOO=BAR; path=/cookie-path/

Which would sort of do the opposite of what you want, it would only send cookies for this one directory (you'd have to put all cookie-full content under this directory).

Note that the spec mentions that this path-based isolation is not secure, so you shouldn't use this if you want the other domain cookie-less for security reasons.