ASP.NET generates some large cookies if you are using ASP.NET membership provider. Especially if you are using the Anonymous provider, then a typical site will send the following cookies to every request when a user is logged in, whether the request is to a dynamic page or to any static resource:
.DBANON=w3kYczsH8Wvzs6MgryS4JYEF0N-8ZR6aLRSTU9KwVaGaydD6WwUHD7X9tN8vBgjgzKf3r3SJHusTYFjU85y
YfnunyCeuExcZs895JK9Fk1HS68ksGwm3QpxnRZvpDBAfJKEUKee2OTlND0gi43qwwtIPLeY1;
ASP.NET_SessionId=bmnbp155wilotk45gjhitoqg; DBAUTH12=2A848A8C200CB0E8E05C6EBA8059A0DBA228FC5F6EDD29401C249D2
37812344C15B3C5C57D6B776037FAA8F14017880E57BDC14A7963C58B0A0B30229
AF0123A6DF56601D814E75525E7DCA9AD4A0EF200832B39A1F35A5111092F0805B
0A8CD3D2FD5E3AB6176893D86AFBEB68F7EA42BE61E89537DEAA3279F3B576D0C
44BA00B9FA1D9DD3EE985F37B0A5A134ADC0EA9C548D
There are 517 bytes of worthless data being sent to every css, js and images from the browser to your webserver!
You might think 517 bytes is peanut. Do the math:
- Avg page has 40 requests to server. 40 x 517 bytes = 20 KB per page view.
- 1M page views = 20 GB
- That’s 20GB of data getting uploaded to your server for just 1M page views. It does not take millions of users to produce 1M page views. Around 100k+ users using your site every day can produce 1M page views every day.
Here’s how to prevent this:
- Setup a new website and map a different subdomain to it. If your main site is
www.yoursite.comthen mapstatic.yoursite.comto it. - Manually change all the
<link>, <script>, <img> css url(…)and prefix each resource withhttp://static.yoursite.com - If you don’t want to do it manually, use this solution I have done before.
- Add a
Global.asaxand in theEndRequestdo this trick:HttpContext context = HttpContext.Current; if (context.Request.Url.ToString.StartsWith("http://static.yoursite.com") { List<string> cookiesToClear = new List<string>(); foreach (string cookieName in context.Request.Cookies) { HttpCookie cookie = context.Request.Cookies[cookieName]; cookiesToClear.Add(cookie.Name); } foreach (string name in cookiesToClear) { HttpCookie cookie = new HttpCookie(name, string.Empty); cookie.Expires = DateTime.Today.AddYears(-1); context.Response.Cookies.Set(cookie); } }This code reads all the cookies it receives from request and expires them so that browser does not send those cookies again. If by any chance ASP.NET cookies get injected into the
static.yoursite.comdomain, this code will take care of removing them.
Mmmm… the last thing (cookie cleanup) will work only if ASP.NET is setup to handle all and every request. By default IIS do not forward to ASP.NET non executable resources (images, css, js, etc.). At least not in IIS 6.
I needed something similar (full asset interception) for a website and had to explicitly setup IIS to forward the requests to ASP.NET.
40 requests per page? Unlikely. the browset caches .js and .css files.
@Steven:
Caching won’t help if you are getting unique visits or your site is served over https. If helps http repeated visits only.
@Marcelo: good catch. Yes this is for IIS 7 only. I am assuming IIS 6 is history by now 🙂
@Omar – why don’t you just use cookieless sessions in your static website’s web.config instead of doing that code in global.asax?
and when you’re testing your site, make sure you always open up a new Icognito Browser window, so this makes sure there’s no -previous- cookies that will be sent to the server upon the first request.
@Justin: Cookieless session won’t help much since the URL still contains an encoded key to identify the session. You might save couple of bytes. But essentially the cookie is moved to the url. Also cookieless session helps ASP.NET Session only, does not help ASP.NET Membership provider cookies.
Also the problem isn’t about first visit. As soon as you hit default.aspx and the cookies get generated, the cookies are sent for all subsequent request.
Hi Omar,
i just want to know if for example i am using membership provider which uses cookies this code will delete the cookies then membership provider will be disturbed?
thanks in advance.
This code will delete cookies on the static domain, not the www domain.
thanks for your sharing .
Very helpful.
Mark
Hi Omar,
I am regular reader of your post and whether it on your blog or at CodeProject and I find them very useful and having details, These helped me a lot. Thanks for sharing all these and really useful post.
Thanks,
Brij
Why there are two foreach necessary? I see it can be done in 1 loop.
I am not sure what you mean with “URL still contains an encoded key to identify the session” but I set sessin “Not enabled” in new site and applied those settings specified in here :
http://www.robertsindall.co.uk/blog/creating-static-content-website-in-iis-7/
And those are removing unnecessary process for static content as we always want.
And I do not liked EndRequest operation BTW.
Math part was good to understand the problem how much important..
Thanks.
How much does it affect performance
Do you recommend setting up some kind of dynamic robots blocking for the static subdomain?
I’m thinking of the issue of not 301 redirecting your non-www to www. Google and then Google gets confused as to which is your real site.
How it could work on images that request from CSS file?
This is one of the best articles so far I have read online. Just useful information. Very well presented. Thanks for sharing with us. Check out this link too…
http://mindstick.com/Articles/c4e253f5-67dc-4211-8a1f-e29c17ce2943/?Cookies%20in%20ASP.NET
Its also helped me lot!!
Thanks Everyone!!
Obviously, having a static.something.com route is preferable, but I am guessing that we could also look at the file being requested. if endswith .js, .css, could use the same process.