Post on 26-Mar-2015
CS193H:High Performance Web Sites
Lecture 23: Vol 2 – Make static content cookie-
free, Reduce cookie weight, To WWW or not to WWW
Steve SoudersGoogle
souders@cs.stanford.edu
announcementsFinal exam locations:• Dec 9, 12:15-3:15 – Gates B03• Dec 12, 12:15-3:15 – Gates B01
Set-Cookie response headerHTTP/1.1 200 OK
Set-Cookie: MSNPPAuth=B*eDP3m4...WELr; expires=Wed, 30-Dec-2037 16:00:00 GMT; domain=.live.com;_path=/;
domain, path, and expires in the cookie headermax size ~4K (varies by browser)one header per cookiecookie is stored by the client (browser)only valid if domain matches current page
Cookie response headerGET /results.aspx?q=flowers HTTP/1.1Host: search.live.comCookie:_MSNPPAuth=B*eDP3m4...WELr;_SRCHUID=V=1&GUID=83F46965E90240739918C1047F88FD26;_SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20081129; ...
cookie sent back to server on subsequent requests that match the domain and pathall cookies sent in one request header"; " delimited
Cookie sizecookie size
(bytes)comments
aol.com 494 "stay signed in" checked
ebay.com 1038 "keep me signed in" checked
facebook.com 990 "remember me" checked
google.com/search 417 logged in to iGoogle and YouTube
search.live.com/results 1938
"remember me" and "remember my password"
checked
msn.com 1063 logged in thru search.live.com
myspace.com 2027 "remember me" checked
en.wikipedia.org/wiki 134 "remember me" checked
yahoo.com 677 "keep me signed in" checked
youtube.com 597 also logged in to iGoogleNovember 2008total size of all cookies
Cookie impact
http://yuiblog.com/blog/2007/03/01/performance-research-part-3/
cookies on static resources multiplies the delaylargest packet MTU (Maximum Transmission Unit) for Ethernet: 1500 bytes
cookie size response time delta500 bytes 1 ms
1000 bytes 16 ms1500 bytes 31 ms2000 bytes 47 ms2500 bytes 63 ms3000 bytes 78 ms
Live Search cookies senthttp://search.live.com/results.aspx?q=flowers http://search.live.com/.../brand_c.css http://search.live.com/.../serp_c.css http://search.live.com/.../scopebar2_c.css http://search.live.com/.../answerAll_c.css http://search.live.com/.../asset4.gif http://search.live.com/.../cbcoin.gif http://search.live.com/.../main.js
seven static resources contain the Cookie request header (1938 bytes), even though cookies don't affect the response
7 x 1938 bytes = 13.5K (upstream!)
Static resource cookie size
cookie size (bytes)
static resources on same domain
wasted bytes
aol.com 494 2 988
ebay.com 1038 0 0
facebook.com 990 2 1980
google.com/search 417 5 2085
search.live.com/results 1938 7 13,566
msn.com 1063 1 1063
myspace.com 2027 2 4,054
en.wikipedia.org/wiki 134 8 1072
yahoo.com 677 0 0
youtube.com 597 1 597November 2008
worse on sites without CDN?
cookie-free static contenttakeaway: serve static content without cookies• different domain (rule 2 – use a CDN)• different path ("/app" versus "/images")
Cookie expirationlong expirations are handled differently for HTTP resources versus cookies:• avoid cached resources by removing the reference
or changing the name• cookies are always sent, regardless of HTML
content• server can't see domain, path, and expiration
it's hard to avoid cookies with long expirations
Cookie expirationcookie size
(bytes)avg expires
(months)
aol.com 494 13
ebay.com 1038 27
facebook.com 990 1
google.com/search 417 122
search.live.com/results 1938 201
msn.com 1063 175
myspace.com 2027 92
en.wikipedia.org/wiki 134 1
yahoo.com 677 231
youtube.com 597 62
November 2008
average expiration time across all persistent cookies
Reduce cookie weightuse session-based cookies when possibleuse short expirations in other casesavoid using cookies instead of a user databaseset domain and path as tight as possibletrack and purge cookies – maintain a cookie whitelist and remove outsiders
Set-Cookie:_MSNPPAuth=;_domain= .live.com; path=/;
Cookie questionsmax size for a single cookiemax total size for all cookies
for a single domainacross all domains
max # of cookiesfor a single domainacross all domains
how cookies are purgedFIFOLIFO
contact me if you'd like to do this study
"www" redirectshow should "www" work for yourdomain.com?http://yourdomain.com/ redirects to http://www.yourdomain.com/• slower (redirect)
both work• cookies
‐ cookies issued on yourdomain.com go to subdomains‐ cookies issued on www.yourdomain.com don't go to
yourdomain.com• avoid caching two copies of each resource
‐ http://yourdomain.com/logo.gif‐ http://www.yourdomain.com/logo.gif
redirect cookie domain
aol.com yes .aol.com
ebay.com yes .ebay.com
facebook.com yes .facebook.com
google.com yes .google.com
live.com yes .live.com
msn.com yes .msn.com
myspace.com yes .myspace.com
wikipedia.org no .wikipedia.org
yahoo.com yes .yahoo.com
youtube.com yes .youtube.com
Top 10 "www" redirects
November 2008
cookie domain is not the reason for redirecting
Two copies of resourcesif Wikipedia doesn't redirect, how do they avoid downloading two copies of resources?
different domain for resources:http://wikipedia.org/http://upload.wikimedia.org/.../174px-Wikipedia-word.pnghttp://upload.wikimedia.org/.../Bookshelf-40x20.png
what about resources on document's server?• relative URLs – shorter but two copies• full URLs – longer but single copy• BASE HREF – short and single copy (but how come
no one uses this?)
recommendation: don't redirect for "www"
Homework12/1 11:59pm – Assignment #6 - Improving a Top Site• rules 11-14• Vol 2:
‐ Split the Initial Payload‐ Load Scripts Without Blocking‐ Don't Scatter Inline Scripts‐ Shard Dominant Domains‐ Optimize Images
QuestionsWhat are cookies used for? How does the browser decide which cookies to send? When does it stop sending a cookie? What's a session-based cookie and how do you create one?Why is it wasteful to send cookies on requests for static resources, and how can it be avoided?Why are long expiration dates more problematic for cookies than HTTP resources?What are techniques for reducing cookie weight?What are the choices for handling "www"? List the pros and cons, and recommended solution.