www vs no-www and cookies

May 13th, 2008. Tagged: performance, php

One of Yahoo's performance rules says: Use cookie-free domains for static components. This is good because the server has no use for cookie information when serving a JPEG or another static component, so all this cookie information creates network traffic for no reason.

One of the implications of following the rule is related to the whole www vs no-www question. Basically you should always use www if you're planning to use any other sub-domains and you want them cookie-free. This is because you have no way to set a cookie only to the top-level domain. So for example you cannot write a cookie only to phpied.com. If you load component from img.phpied.com, the cookie from phpied.com will be sent again. In Firefox this doesn't seem to be the case, but in IE it is.

Here are two test scripts that demonstrate the behavior:

Load both of these pages and then reload them to see what cookies are sent. They both try to set cookies in all possible ways:

  1. omitting the domain name
  2. .domain.com
  3. domain.com
  4. www.domain.com

Here's the source code of the files:

nowww.php [test]

<?php
setcookie('no0', 'no www, no domain');
setcookie('no1', 'no www, .phpied.com', 0, '/', '.phpied.com');
setcookie('no2', 'no www, phpied.com', 0, '/', 'phpied.com');
setcookie('no3', 'no www, www.phpied.com', 0, '/', 'www.phpied.com');
 
echo '<pre>';
print_r($_COOKIE);
?>

yeswww.php [test]

<?php
setcookie('yes0', 'yes www, no domain');
setcookie('yes1', 'yes www, .phpied.com',    0, '/', '.phpied.com');
setcookie('yes2', 'yes www, phpied.com',     0, '/', 'phpied.com');
setcookie('yes3', 'yes www, www.phpied.com', 0, '/', 'www.phpied.com');
 
echo '<pre>';
print_r($_COOKIE);
?>

Loading the two pages twice shows how in IE, no0, no1, and no2 are all visible when using www as well as when not using it. In Firefox it's almost the same, only that no0 is not visible when using www.

As a take-home:

  • use www
  • write cookies to the appropriate domain level (e.g. don't write to *.domain.com)

Tell your friends about this post: Facebook, Twitter, Google+

14 Responses

  1. www is misused. And here you again offer to force adding it.
    In either way, in cookies you should save only an identifier of a user. Standart PHP session, for example, is 32 symbols length. That is 32 bytes. Remove 4 bytes which are added with “www.” – this leaves 28 bytes. 28 god damn bytes. And you are seriously offering this as a performance win. Who are kidding? If you are this concerned about size, minify all your URLs. Why have “www-vs-no-www-and-cookies”? “www-cookies” is enough.
    Also, if you are really this concerned to think about 28 bytes, work with pictures more. PNG can be compressed a lot with fine tuning.
    Finally, note, that services under heavy load use a different domain for their statics. (see yimg.com for Yahoo and ytimg.com for Youtube for example) Cookies are not sent to a different domain anyway.
    By using www, though, you are just making the misunderstanding of simple users “Internet is WWW, that is World Wide Web” stronger. And this is really bad, because I, for instance, hate it, when you say to a person “Go to phpied.com” and he replies “where?” After some time it is revealed, that he heard the address correctly, but he did not understand it was an internet address. He thought all internet address begin with www.
    Check out http://no-www.org/

    No offence meant, everything is just my opinion, please be friendly. ^_^

  2. [...] Stoyan Stefanov has come up against one of the frustrations of web development involving cookies – problems caused by the switch from a “www.” in the host to none. He’s come up with a test to show you how cookies are set and where you can access them from. One of the implications of following the rule is related to the whole www vs no-www question. Basically you should always use www if you’re planning to use any other sub-domains and you want them cookie-free. This is because you have no way to set a cookie only to the top-level domain. [...]

  3. [...] Very good article of using cookies with domains including www and without it. Why it is important  to use or not to use cookies, and some grate tips you would find in this post. One of Yahoo’s performance rules says: Use cookie-free domains for static components. This is good because the server has no use for cookie information when serving a JPEG or another static component, so all this cookie information creates network traffic for no reason. [...]

  4. Denis, the byte length of the domain name is not the problem. When you set a cookie to a top level domain like whatever.org, that cookie is sent by most browsers to any other server, like images.whatever.org. The images server doesn’t need the cookies, so the performance issue is the overhead of sending a cookie with every image for no reason. While some companies use a separate domain for non-HTML media, not all do. Additionally, you might want to try decaf. It’s easier on the nerves.

  5. Denis, when you use the HTTP protocol, you are on the World Wide Web which is a part of the Internet. Are you trying to say that a website is not part of the World Wide Web? The World Wide Web is a combination of http, html, and browsers – invented by Tim Berners-Lee. I’m not sure what you are getting at as including www would just enforce the fact that the website is part of the World Wide Web (which is true). And yes, I’m familiar with no-www.org, and I support it only because it is faster to omit the www, not because it doesn’t make sense to use www.

    http://www.webopedia.com/DidYouKnow/Internet/2002/Web_vs_Internet.asp

  6. Interesting research! However, I can’t help but feel like you’ve drawn the wrong conclusion. Saying using www in your URLs is part of the solution is simply incorrect.

    Obviously, it’s a bad idea to allow a web page to be visited by two distinct URLs, i.e. http://www.phpied.com/ vs. http://phpied.com/. This article names one of the reasons (no-www cookies may not be read when a user switches from to www and vice versa), but obviously there are other reasons, such as SEO (search engines will see both URLs as separate documents) and uniformity. In a way, you could even say making a choice between www and no-www and sticking to it, prevents users from getting confused.

    TL;DR: Just make a choice between www and no-www and stick to it. Problem solved.

  7. Just to be clear: you should of course redirect to the variant of your choice, i.e. if you want to use no-www, you should redirect from yes-www URLs and vice versa.

  8. Alternatively you could use a separate domain-name for static files.

  9. If you use Google Analytics, then the cookies that provides is via *.example.com – so, as per their tutorial page, you’ll *have to* use a separate domain name for static files if you want to keep it cookie-free (at least pre-asynchronous tracking anyway).

    http://code.google.com/speed/page-speed/docs/request.html#ServeFromCookielessDomain

  10. I am struggling with the problem here. I have a CDN on the same domain as my blog, but that will not help, thanks to badly written 3rd party scripts, such as Google Analytics, Disqus and what not. When will they start to comply with simple standards?

    Take Analytics for example, if I wanted to have statistics on subdomains, then there shouls be an option for that, same as an option to set cookies for top level domains..

  11. IE’s cookie behavior is noted in Q3 here: http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx.

    It’s a mistake, but there’s little chance this will ever be changed unless it’s maintained in a “Compatibility” mode.

  12. Quality as well as luxury. Colours are a similar fashion demonstrated.

  13. Link to “whole www vs no-www question” is dead.

  14. I got this web page from my pal who shared with me
    about this web site and at the moment this time
    I am visiting this web page and reading very informative articles at this time.

Leave a Reply