1. CS193H: High Performance Web Sites Lecture 23: Vol 2 – Make static content cookie- free, Reduce cookie weight, To WWW or not to WWW Steve Souders Google souders@cs.stanford.edu

2. announcements Final exam locations: Dec 9, 12:15-3:15 – Gates B03 Dec 12, 12:15-3:15 – Gates B01

3. Set-Cookie response header HTTP/1.1 200 OK Set-Cookie: MSNPPAuth=B*eDP3m4...WELr; expires=Wed, 30-Dec-2037 16:00:00 GMT; domain=.live.com;_path=/; domain, path, and expires in the cookie header max size ~4K (varies by browser) one header per cookie cookie is stored by the client (browser) only valid if domain matches current page

4. Cookie response header GET /results.aspx?q=flowers HTTP/1.1 Host: search.live.com Cookie:_MSNPPAuth=B*eDP3m4...WELr;_SRCHUID=V =1&GUID=83F46965E90240739918C1047F88FD26;_ SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20081129;... cookie sent back to server on subsequent requests that match the domain and path all cookies sent in one request header "; " delimited

5. Cookie size cookie size (bytes) comments aol.com 494"stay signed in" checked ebay.com 1038"keep me signed in" checked facebook.com 990"remember me" checked google.com/search 417logged in to iGoogle and YouTube search.live.com/results 1938 "remember me" and "remember my password" checked msn.com 1063logged in thru search.live.com myspace.com 2027"remember me" checked en.wikipedia.org/wiki 134"remember me" checked yahoo.com 677"keep me signed in" checked youtube.com 597also logged in to iGoogle November 2008 total size of all cookies

6. Cookie impact http://yuiblog.com/blog/2007/03/01/performance-research-part-3/ cookies on static resources multiplies the delay largest packet MTU (Maximum Transmission Unit) for Ethernet: 1500 bytes cookie sizeresponse time delta 500 bytes1 ms 1000 bytes16 ms 1500 bytes31 ms 2000 bytes47 ms 2500 bytes63 ms 3000 bytes78 ms

7. Live Search cookies sent http://search.live.com/results.aspx?q=flowers http://search.live.com/.../brand_c.css http://search.live.com/.../serp_c.css http://search.live.com/.../scopebar2_c.css http://search.live.com/.../answerAll_c.css http://search.live.com/.../asset4.gif http://search.live.com/.../cbcoin.gif http://search.live.com/.../main.js seven static resources contain the Cookie request header (1938 bytes), even though cookies don't affect the response 7 x 1938 bytes = 13.5K (upstream!)

8. Static resource cookie size cookie size (bytes) static resources on same domain wasted bytes aol.com 4942988 ebay.com 103800 facebook.com 99021980 google.com/search 41752085 search.live.com/results 1938713,566 msn.com 10631 myspace.com 202724,054 en.wikipedia.org/wiki 13481072 yahoo.com 67700 youtube.com 5971 November 2008 worse on sites without CDN?

9. cookie-free static content takeaway: serve static content without cookies different domain (rule 2 – use a CDN) different path ("/app" versus "/images")

10. Cookie expiration long expirations are handled differently for HTTP resources versus cookies: avoid cached resources by removing the reference or changing the name cookies are always sent, regardless of HTML content server can't see domain, path, and expiration it's hard to avoid cookies with long expirations

11. Cookie expiration cookie size (bytes) avg expires (months) aol.com 49413 ebay.com 103827 facebook.com 9901 google.com/search 417122 search.live.com/results 1938201 msn.com 1063175 myspace.com 202792 en.wikipedia.org/wiki 1341 yahoo.com 677231 youtube.com 59762 November 2008 average expiration time across all persistent cookies

12. Reduce cookie weight use session-based cookies when possible use short expirations in other cases avoid using cookies instead of a user database set domain and path as tight as possible track and purge cookies – maintain a cookie whitelist and remove outsiders Set-Cookie:_MSNPPAuth=;_domain=.live.com; path=/;

13. Cookie questions max size for a single cookie max total size for all cookies for a single domain across all domains max # of cookies for a single domain across all domains how cookies are purged FIFO LIFO contact me if you'd like to do this study

14. "www" redirects how should "www" work for yourdomain.com? http://yourdomain.com/ redirects to http://www.yourdomain.com/ slower (redirect) both work cookies cookies issued on yourdomain.com go to subdomains cookies issued on www.yourdomain.com don't go to yourdomain.com avoid caching two copies of each resource http://yourdomain.com/logo.gif http://www.yourdomain.com/logo.gif

15. redirectcookie domain aol.com yes.aol.com ebay.com yes.ebay.com facebook.com yes.facebook.com google.com yes.google.com live.com yes.live.com msn.com yes.msn.com myspace.com yes.myspace.com wikipedia.org no.wikipedia.org yahoo.com yes.yahoo.com youtube.com yes.youtube.com Top 10 "www" redirects November 2008 cookie domain is not the reason for redirecting

16. Two copies of resources if Wikipedia doesn't redirect, how do they avoid downloading two copies of resources? different domain for resources: http://wikipedia.org/ http://upload.wikimedia.org/.../174px-Wikipedia-word.png http://upload.wikimedia.org/.../Bookshelf-40x20.png what about resources on document's server? relative URLs – shorter but two copies full URLs – longer but single copy BASE HREF – short and single copy (but how come no one uses this?) recommendation: don't redirect for "www"

17. Homework 12/1 11:59pm – Assignment #6 - Improving a Top Site rules 11-14 Vol 2: Split the Initial Payload Load Scripts Without Blocking Don't Scatter Inline Scripts Shard Dominant Domains Optimize Images

18. Questions What are cookies used for? How does the browser decide which cookies to send? When does it stop sending a cookie? What's a session-based cookie and how do you create one? Why is it wasteful to send cookies on requests for static resources, and how can it be avoided? Why are long expiration dates more problematic for cookies than HTTP resources? What are techniques for reducing cookie weight? What are the choices for handling "www"? List the pros and cons, and recommended solution.