I am trying to follow YSLOW's guidelines to optimize my site. I noticed that when static content like images, js and css files are hosted on my main domain, they are downloaded with unnecessary cookies. Therefore, I put them on a new domain (not subdomain) to avoid this.
I then found out that YSLOW says that this static content needs far future expire headers. Wouldn't that cause cookies to be enabled? Is this an either/or case or is it possible to host static content on a cookie free domain AND add expire headers? If so, how?
Cookies are not expire headers. Cookies are set with the Set-Cookie HTTP header, which specifically instructs the browser to save a small piece of text and send it again every time it contacts the same domain. Expire headers are set with the Expires and related headers and tell the browser when the content should be regarded as expired. This causes the browser to not contact the server at all and cache the data locally.
They're both entirely separate headers and mechanisms. See here for a list of all the other headers you can send and their effect, and use your browsers inspector's network tab to have a look at what kind of headers are being sent back and forth on each request.
Related
As of current, are there still any methods to spoof HTTP referer?
Yes.
The HTTP_REFERER is data passed by the client. Any data passed by the client can be spoofed/forged. This includes HTTP_USER_AGENT.
If you wrote the web browser, you're setting and sending the HTTP Referrer and User-Agent headers on the GET, POST, etc.
You can also use middleware such as a web proxy to alter these. Fiddler lets you control these values.
If you want to redirect a visitor to another website and set their browser's referrer to any value you desire, you'll need to develop a web browser-plugin or some other type of application that runs on their computer. Otherwise, you cannot set the referrer on the visitor's browser. It will show the page from your site that linked to it.
What might be a valid solution in your case would be for you to load the third party page on the visitor's behalf, using whatever referrer is necessary, then display the page to the user from your server.
Yes, the HTTP referer header can be spoofed.
A common way to play with HTTP headers is to use a tool like cURL:
Sending headers using cURL:
How to send a header using a HTTP request through a curl call?
or
The cURL docs:
http://curl.haxx.se/docs/
Yes of course. Browser can avoid to send it, and it can be also "spoofed". There's an addon for firefox (I haven't tried it myself) and likely you can use also something like privoxy (but it is harder to make it dynamically changing). Using other tools like wget, is as easy as setting the proper option.
Ok I guess this question may be similar to other in the "remote cookies" kind, but I'm not sure that other answers I've read are applied to my case anyway, so here we go.
I have two applications, a client and a server. The server "has" (I know they're actually stored client-side) a cookie and a page which uses it to print out a computed data based on the cookie.
If I access the server page directly, the cookie is taken into account and the data is output correctly.
If I call the same server page from the client via a file_get_contents() the cookie on the server page doesn't get read, and I get an answer computed with an empty cookie.
How to make the server read its own cookies when answering a similar request? Is cURL the only option?
You need to:
Make a request that gets a Set-Cookie header in the response (assuming the cookies are HTTP cookies and not JS cookies)
Store the cookies
Include the cookies in the HTTP request to the page that displays them
cURL is probably the sanest way to go about dealing with being an HTTP client in PHP when you need to pay attention to the headers. Another question gives some guidance about how to go about doing that.
Note that there is no way to send the cookies that the browser accessing your PHP script would sent to the remote server. They are a secret that belong to the browser and that server and will not be shared with your server.
Is there a way to disable PHP sending cookies in a specific page's header, on a server that normally uses cookies?
The scenario is that I have a server that uses cookies, but some pages are actually programming API calls that don't need cookies, and in fact slow down the user's API request by sending this irrelevant data.
The way that many sites use to serve their static resources without the cookie overhead is using a different domain. For Stack Overflow, for example, that domain is http://sstatic.net
In a web app, you can restrict cookies to a specific path. By default, they will be restricted to the directory in which they were set. You can also explicitly specify it using the $path parameter in setcookie().
I agree with Pekka's answer and Dagon's comment. If you look at what goes in an http request with a tool like firebug you'll see that cookies are only sent when there is a setcookie call, however, the browser will always send valid cookies it has for the domain.
The way around this is to use a seperate domain or subdomain for your api. You can also configure the web server supporting the api to disable any support for cookies, however, if your domain has implemented a domain cookie anywhere, you can't stop the clients from sending all the cookie data in the header of their requests. Thus it's probably best if you use an entirely different domain for your api, and avoid cookies entirely in doing so. If you can insure that no domain cookies exist, then subdomains is the next best solution.
Can we Fetch Values from Cross Browser Cookie ???
For Example USer Can use mozilla or chrome or any other browser
when we print_r($_COOKIE);
All Browsers Cookie Will Print.
No, cookies are stored only within one browser's cache. If you want to save data specific to a certain computer you will need to use Flash objects or server side databases
You will never be able to see all cookies set in a browser. Only the ones that are destined for the domain the request was sent to. For more information on cookies and the domain policy see here.
All browsers which have cookies enabled will send data to PHP which is added to $_COOKIE, assuming cookie data has been set...
That said, a browser will only "serve up" cookie data from itself and from the current domain. It cannot read another browser's cookies and it will not let you get data from another website.
It isn't clear what you are asking, so here are three answers:
How can I use cookies and have them work no matter what browser my visitors use?
Cookies are a standard. You use the same HTTP headers (or JavaScript) to set them for all browsers, and all browsers send them to the server in the same way.
How can I access the cookies I set before the user switched browser?
You can't read a cookie stored by (for example) Internet Explorer when the user visits using (also for example) Chrome. Chrome does not have access to the cookies stored by Internet Explorer so cannot send them to the server.
How can I access cookies set by a different website?
You cannot read a cookie stored for a different domain as browsers will only send cookies belonging to a given website to that website (to do otherwise would require vast amounts of bandwidth and be a terrible security problem).
The only cookies your website can read are those that were issued from the same domain to the users current browser.
For security reasons, browsers will only send cookie information to the same domain which issued it. Sometimes, it's even limited to a particular subdomain, rather than being valid for the entire site. This is a very good thing, since cookie information often contains session data which can (partially or wholly) give access to a website account to the holder of a cookie. This is called session hijacking. Basically, if a browser served up all your cookies to every site which requested them, a malicious site owner could take over your accounts on other sites just by making a request to them using the cookie data for that site.
Also, cookies are local to the particular browser that a user is using at the time the cookie is created. This is why if you were to log into your Facebook account from Firefox, you would have to log in again if you switched to Chrome.
In short, what you are asking for is impossible, and it is impossible for very good reasons.
I am trying to follow these guidelines to make my page load quicker.
I have created a static subdomain to load static content from, however it is advising me to not have cookies sent on this subdomain, any ideas on how I might be able to do this in Apache/PHP?
I've searched around and come up with nothing yet.
If you never explicitly set a cookie, cookies won't be present on the server. So, if you are using the second domain simply as a repository for images or CSS files, most likely no cookies are ever set.
Updated from Comments.
If you see a 'Request' cookie header to a subdomain you don't want to have cookies, clear your cookies and see if the server ever sends a cookie header in the Response headers. If it does, it is possible you have session.auto_start enabled, or you have a script that sets cookies.
You can check the Request and Response Headers using something like Firebug with Google Page Speed.
You can easily take care of this in PHP. When you set your cookie, the parameter that needs to be set is the domain parameter. Often, this is set to ".domain.com" to make it available on any subdomain. Instead, you might try setting it to "www.domain.com" to restrict it to that domain. Check out the PHP manual's setcookie() documentation.