CS193H:High Performance Web Sites

Lecture 23: Vol 2 – Make static content cookie-

free, Reduce cookie weight, To WWW or not to WWW

Steve SoudersGoogle

souders@cs.stanford.edu

announcementsFinal exam locations:• Dec 9, 12:15-3:15 – Gates B03• Dec 12, 12:15-3:15 – Gates B01

Set-Cookie response headerHTTP/1.1 200 OK

Set-Cookie: MSNPPAuth=B*eDP3m4...WELr; expires=Wed, 30-Dec-2037 16:00:00 GMT; domain=.live.com;_path=/;

domain, path, and expires in the cookie headermax size ~4K (varies by browser)one header per cookiecookie is stored by the client (browser)only valid if domain matches current page

Cookie response headerGET /results.aspx?q=flowers HTTP/1.1Host: search.live.comCookie:_MSNPPAuth=B*eDP3m4...WELr;_SRCHUID=V=1&GUID=83F46965E90240739918C1047F88FD26;_SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20081129; ...

cookie sent back to server on subsequent requests that match the domain and pathall cookies sent in one request header"; " delimited

Cookie sizecookie size

(bytes)comments

aol.com 494 "stay signed in" checked

ebay.com 1038 "keep me signed in" checked

facebook.com 990 "remember me" checked

google.com/search 417 logged in to iGoogle and YouTube

search.live.com/results 1938

"remember me" and "remember my password"

checked

msn.com 1063 logged in thru search.live.com

myspace.com 2027 "remember me" checked

en.wikipedia.org/wiki 134 "remember me" checked

yahoo.com 677 "keep me signed in" checked

youtube.com 597 also logged in to iGoogleNovember 2008total size of all cookies

Cookie impact

http://yuiblog.com/blog/2007/03/01/performance-research-part-3/

cookies on static resources multiplies the delaylargest packet MTU (Maximum Transmission Unit) for Ethernet: 1500 bytes

cookie size response time delta500 bytes 1 ms

1000 bytes 16 ms1500 bytes 31 ms2000 bytes 47 ms2500 bytes 63 ms3000 bytes 78 ms

Live Search cookies senthttp://search.live.com/results.aspx?q=flowers http://search.live.com/.../brand_c.css http://search.live.com/.../serp_c.css http://search.live.com/.../scopebar2_c.css http://search.live.com/.../answerAll_c.css http://search.live.com/.../asset4.gif http://search.live.com/.../cbcoin.gif http://search.live.com/.../main.js

seven static resources contain the Cookie request header (1938 bytes), even though cookies don't affect the response

7 x 1938 bytes = 13.5K (upstream!)

Static resource cookie size

cookie size (bytes)

static resources on same domain

wasted bytes

aol.com 494 2 988

ebay.com 1038 0 0

facebook.com 990 2 1980

google.com/search 417 5 2085

search.live.com/results 1938 7 13,566

msn.com 1063 1 1063

myspace.com 2027 2 4,054

en.wikipedia.org/wiki 134 8 1072

yahoo.com 677 0 0

youtube.com 597 1 597November 2008

worse on sites without CDN?

cookie-free static contenttakeaway: serve static content without cookies• different domain (rule 2 – use a CDN)• different path ("/app" versus "/images")

Cookie expirationlong expirations are handled differently for HTTP resources versus cookies:• avoid cached resources by removing the reference

or changing the name• cookies are always sent, regardless of HTML

content• server can't see domain, path, and expiration

it's hard to avoid cookies with long expirations

Cookie expirationcookie size

(bytes)avg expires

(months)

aol.com 494 13

ebay.com 1038 27

facebook.com 990 1

google.com/search 417 122

search.live.com/results 1938 201

msn.com 1063 175

myspace.com 2027 92

en.wikipedia.org/wiki 134 1

yahoo.com 677 231

youtube.com 597 62

November 2008

average expiration time across all persistent cookies

Reduce cookie weightuse session-based cookies when possibleuse short expirations in other casesavoid using cookies instead of a user databaseset domain and path as tight as possibletrack and purge cookies – maintain a cookie whitelist and remove outsiders

Set-Cookie:_MSNPPAuth=;_domain= .live.com; path=/;

Cookie questionsmax size for a single cookiemax total size for all cookies

for a single domainacross all domains

max # of cookiesfor a single domainacross all domains

how cookies are purgedFIFOLIFO

contact me if you'd like to do this study

"www" redirectshow should "www" work for yourdomain.com?http://yourdomain.com/ redirects to http://www.yourdomain.com/• slower (redirect)

both work• cookies

‐ cookies issued on yourdomain.com go to subdomains‐ cookies issued on www.yourdomain.com don't go to

yourdomain.com• avoid caching two copies of each resource

‐ http://yourdomain.com/logo.gif‐ http://www.yourdomain.com/logo.gif

redirect cookie domain

aol.com yes .aol.com

ebay.com yes .ebay.com

facebook.com yes .facebook.com

google.com yes .google.com

live.com yes .live.com

msn.com yes .msn.com

myspace.com yes .myspace.com

wikipedia.org no .wikipedia.org

yahoo.com yes .yahoo.com

youtube.com yes .youtube.com

Top 10 "www" redirects

November 2008

cookie domain is not the reason for redirecting

Two copies of resourcesif Wikipedia doesn't redirect, how do they avoid downloading two copies of resources?

different domain for resources:http://wikipedia.org/http://upload.wikimedia.org/.../174px-Wikipedia-word.pnghttp://upload.wikimedia.org/.../Bookshelf-40x20.png

what about resources on document's server?• relative URLs – shorter but two copies• full URLs – longer but single copy• BASE HREF – short and single copy (but how come

no one uses this?)

recommendation: don't redirect for "www"

Homework12/1 11:59pm – Assignment #6 - Improving a Top Site• rules 11-14• Vol 2:

‐ Split the Initial Payload‐ Load Scripts Without Blocking‐ Don't Scatter Inline Scripts‐ Shard Dominant Domains‐ Optimize Images

QuestionsWhat are cookies used for? How does the browser decide which cookies to send? When does it stop sending a cookie? What's a session-based cookie and how do you create one?Why is it wasteful to send cookies on requests for static resources, and how can it be avoided?Why are long expiration dates more problematic for cookies than HTTP resources?What are techniques for reducing cookie weight?What are the choices for handling "www"? List the pros and cons, and recommended solution.