Creating cookieless application on development machine with asp.net

Question

I tried posting this on ServerFault with no luck so i am trying here.

I am thinking about setting up a new domain to host static content on my website and have it cookieless just like Stackoverflow with their static domain. So before going ahead and buying the domain and setting it up I wanted to test it on my developement machine first under localhost (I have to mention that i am planning on having IIS running on my new domain for the static files).

I therefore created a new application under IIS and disabled session state and forms authentication. When my main application needs resources like css, images and js , I use the path to the "static" application where they are hosted.

The problem is that when I look at the request and the response for the requested files, they still have the session_id cookie defined as well as the asp.net authentication cookie.

Is it at all possible to accomplish what i am trying to do on a development machine or do i have to just go ahead and purchase the new domain which hopefully with make things right? I tried to read about cookieless domain but can't figure out what i might be missing.

Update

My setup was as follows. I created two web applications. - One web application for the website - one web application for everything static (css, images, scripts...)

Both applications are added to IIS and none of them is a sub-application of the other. (They are both separate websites under IIS structure).

I have wondered if having both website under the same IP might have explained my results but when I deployed both sites, the issue disappeared.

Can you describe your setup a bit more? You say you create a new application but you should really create a new website bound to a different IP address and/or port number and/or host name. You can not create a new application under the same website. You need to create two seperate websites. — Marco Miltenburg, Oct 28 '11 at 14:22
@MarcoMiltenburg Well, it is not me who asked the question in the first place, I only put the pounty on it. the OP must be asking for a new website on the same machine/IP. Since it is only for development purposes. — Ken D, Oct 29 '11 at 15:04
Sorry for my late response, guys! I was indeed interested in only making this setup work on a development machine and heavily relied on checking request info using firebug to make sure cookies were indeed not used. I indeed felt like the answers below didn't have enough detail but maybe I should have added more information to my question. It turns out that after deploying my static website on a different host, it just "worked". I am going to update my question to include details about my setup. — ak3nat0n, Nov 02 '11 at 20:45
Have you tried adding a hosts file entry pointing back at your local box so that the browser thinks it's a different domain, and therefore does not sent cookies? — Stefan H, Nov 03 '11 at 06:10

score 7 · Answer 1 · edited May 23 '17 at 11:45

Ensure you have the following web.config settings:

<sessionState mode="Off" />
<authentication mode="None" />

I think that is all, though I haven't tested it. To be safe, you could use the advice from Creating Static Content Website in IIS 7 which disables all modules and only re-enables them as necessary:

<system.webserver> 
    <modules>
        <clear />
        <add name="StaticFileModule" ... />
        ...
    </modules>
    ...
</system.webserver>

PS: See this answer for tips on setting cache values.

score 1 · Answer 2 · edited May 23 '17 at 12:34

The basic idea:

Make a new website in IIS (map it to a subdomain or make it a totally seperate site. Sometimes suddomains aren't enough if users access your site from http://example.com instead of http://www.example.com since in the first case cookies will probably be sent to the new subdomain too).
DISABLE ASP.NET all together in IIS for your new site. If you are just serving static content then you don't need ASP.Net enabled
Load up your static content and link away

Reference:
- Stopping cookies being set from a domain (aka "cookieless domain") to increase site performance
- How to respect "Serve static content from a cookieless domain" page speed rule in IIS6?
- Avoiding cookies while requesting static content

score 0 · Answer 3 · answered Feb 23 '10 at 00:50

The problem is that when I look at the request and the response for the requested files, they still have the session_id cookie defined

This is because HttpRequest.Cookies is property for Request Object.

This might helps to understand

score 0 · Answer 4 · answered Nov 02 '11 at 20:24

0

Have you tried Response.Cookies.Clear() at the end of the Page's Load method? This should eliminate all cookies from the Response object and no cookies will be sent to the client. This could be done in a web module or an HttpHandler as well.

answered Nov 02 '11 at 20:24

Diego L Espiñeira

156
4

Concept he is looking for is not to remove the cookies but not to use them at all – Kunal Nov 03 '11 at 02:19
So he doesn't want ASP.NET to create a session? Is it what he is looking for? – Diego L Espiñeira Nov 03 '11 at 12:55

Creating cookieless application on development machine with asp.net

4 Answers4