Whilst debugging a site last week, I noticed the following header was being sent to the server with each request (actual name/value removed):
When requesting the main PHP page this is a necessary header, because PHP uses it to populate the
$_COOKIE array, which is in turn used to check whether a user is logged in to the site. However, with any other files, such as stylesheets and images, this header is ignored, unless you want to ensure that images are only available to authenticated users (you could do this by redirecting any image file requests to a script which only serves the image if the user is logged in).
It might not seem like a big deal, but if we assume that the length of the header is 50 characters, each character is one byte, and we have ten static elements on a page, that’s 500 bytes of unnecessary traffic. In fact, s6.1 of RFC 6265 suggests that browsers should support cookies at least 4096 bytes in length, so in theory you could be unnecessarily transferring four kilobytes with each request for a static file, especially if you use several cookies. This quickly adds up if your users are on slow or unreliable connections, such as dial-up or wireless links.
A simple way to get around this problem is by placing all static files on a different subdomain (e.g. static.example.org), or a completely separate domain (e.g. www.example.net). Both options involve a penalty of an additional DNS lookup when the first page is accessed, and have slightly different effects.
With a separate subdomain, the Cookie header will still be sent if the domain of the cookie is set to .example.org (note the leading ‘.’), as this defines the cookie as being valid across all subdomains of example.org. This might be the case if you have different subdomains for parts of your site, such as forum.example.org, admin.example.org etc.
With a completely different domain, the Cookie header will not be sent, but you do have to incur the cost of registering and managing another domain.
As well as the Cookie header overhead, some proxies may fail to cache images correctly because the Cookie header suggests there is some state associated with the files, even though HTTP is supposed to be a stateless protocol.