How can I force Apache to not set cookies for subdomain?

apache-2.2 cookies

I don't think apache can be the enforcer here. Even the RequestHeader unset option above will only happen after the client has sent the request with the cookie.

The key thing here the google page speed tool is noticing is that the client sends the cookie on the request. That means somewhere in your application you have set a domain.com cookie (so in effect, *.domain.com). You need to carefully only ever set www.domain.com (or whatever subdomain you're using) in your cookies code. Truthfully, most professional websites wind up with so many third party widgets and javascripts and browser calls that its easier to just abandon your "main" domain for this and setup a full second domain that will never ever have a cookie set on it. You can see facebook does this with fbcdn.net. Huffingtonpost.com does this with huffpost.com.


Using mod_headers (http://httpd.apache.org/docs/2.2/mod/mod_headers.html) you can manipulate all headers that Apache sends to the client. Something like

Header unset Set-Cookie

Inside the VirtualHost of your subdomain should do the trick.

Related

Best way to 'harden' embedded ext4 file server against unexpected loss of power?
How to protect an OS X Server from an unauthorized physical connection?
How to dump multiple subversion repositories at once on various OSs
Distinction between Cloud Servers and VPS
OpenJDK vs. Sun Java6 on Ubuntu
Penetration testing - common examples?
Is it "OK" to use a low end NIC for a dedicated heart beat between two servers?
Published software not displayed in Add/Remove Programs
Puppet causes endless restarts of CUPS (how does one prevent this)
Any security tips for my first server? (complete beginner) [closed]
sudo or acl or setuid/setgid?
cron output options when using curl