Setting a Set-Cookie - ignore or accept

Introduction

Cookies

An HTTP cookie is a small piece of data sent from a website and stored in the client's browser. Cookies are designed to be a mechanism for websites to remember stateful information such as items added in the shopping cart and/or to record the client's browsing activity such as logging in. Please remind that pure HTTP (without cookies) is a stateless protocol.

Set-Cookie and Cookie headers

Using the Set-Cookie HTTP response header a server can pass data (cookies) to a browser. When the browser makes subsequent requests to the server then the browser returns cookies-relevant data in the Cookie HTTP request header. Please read more here.

Example - logging in

When you log in to a client area on some website then the website server will respond similarly as in the following HTTP (server) response.

HTTP/1.1 200 OK
Date: Sun, 17 Sep 2017 13:16:06 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache
Pragma: no-cache
Set-Cookie: SESSIONid=v666iuanetgmcv0couvmnf3jg4
Content-Length: 20
Content-Type: text/html

As you can see the server instructs the browser (via the Set-Cookie header) to create a cookie with name SESSIONid and value v666iuanetgmcv0couvmnf3jg4 (a random string which will identify your browser).

After receiving the above response the browser will start adding the Cookie request header to all subsequent requests similarly as in the following HTTP (client) request requesting the http://mycompany.com/clients/ page.

GET /clients/ HTTP/1.1
Host: mycompany.com
Accept: text/html
Cookie: SESSIONid=v666iuanetgmcv0couvmnf3jg4 

When the server receives the above request then it is able to identify you (your browser) and allow you access to the http://mycompany.com/clients/ page.

Please note that under normal circumstances HTTP (server) responses containing the Set-Cookie header are never cached. For example re-using the same response in the above example would lead to different visitors being logged in to the same account (you don't want that).

CDN option Set-Cookie - ignore or accept

As explained above in some cases it makes good sense to add the Set-Cookie header to certain responses when serving HTML files. Usually it does not make much sense to add the Set-Cookie header to responses when serving static assets such as images, CSS and JavaScript. However some CMS and some services (including Cloudflare) add the Set-Cookie header to all responses. And thus if you want to use them as CDN service's origin then you need to instruct the CDN to behave "abnormally" and to cache responses containing the Set-Cookie header.

CDN option Set-Cookie set to accept

This instruct the CDN to behave "normally" meaning that when a response from CDN service's origin contains the Set-Cookie header then the CDN never caches it.

CDN option Set-Cookie set to ignore

This instruct the CDN to behave "abnormally" meaning that when a response from CDN service's origin contains the Set-Cookie header then the CDN caches it (assuming correct cache-control headers and everything else).

The Set-Cookie option can be set at the Services/New Service and the Services/Settings pages.

After changing the Set-Cookie option please note that you might need to purge your content from the CDN cache as it might be cached with the old settings.

Notes

  • We recommend to set the CDN option Set-Cookie to ignore. Set it to accept only if you know what you are doing.
  • Please note that the CDN option Set-Cookie does not strip the Set-Cookie header from the CDN service's origin response and thus CDN responses can contain the Set-Cookie header even when the CDN option Set-Cookie is set to ignore. The CDN option Set-Cookie "only" controls caching mechanism and does not change HTTP headers at all. If you need to get rid of the Set-Cookie header from CDN responses (to achieve a cookie-less domain) then currently the only solution is to stop adding the Set-Cookie header on the CDN service's origin. Currently we don't support the feature "strip Set-Cookie header on CDN level" however it is already on our roadmap.

What next?

Read about the following topics.

Contact Us

  _  _    _    _    _    _   
 | \| || | || | || | \  / || 
 |  ' || | || | || |  \/  || 
 | .  || | \\_/ || | .  . || 
 |_|\_||  \____//  |_|\/|_|| 
 `-` -`    `---`   `-`  `-`