[SOLVED] Cookieless Domain - Session Cookie? Explicitly set the domain property on the main site?

Cookieless Domain - Session Cookie? Explicitly set the domain property on the main site?

Two questions regarding a Cookieless Domain (I've read a dozen or more posts on Cookieless domains, but some of the answers seem conflicting).

I am setting up my site to serve Static Content from a Cookieless Domain - using a subdomain and .htaccess. I have pages with many thumbnails and I don't want the cookie info sent with each image request.

In htaccess I have a rewrite rule which directs all my traffic to the www domain

RewriteBase /
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]

I created a CNAME record static.example.com and point it to www.example.com.

My image requests now point to static.example.com and in Firebug I am looking at the Net tab. The request header shows the PHP Session Cookie PHPSESSID=.... and the response header shows no Cookie.

First Question:

Is having the session cookie in the request header unavoidable, or should I be trying to get rid of this as well? All requests come from a common directory (and its subdirectories). Should I do something like this?

RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie

UPDATE I tried putting this in the .htaccess in the directory of the jpg files - but headers were not blocked for the images served

Second Question:

Also, do I need to explicitly set the domain property of all my cookies? Docs say that if the domain is not specified then the current domain is used as the default. My current domain should always be www, right? But in response to my last post, someone said

You'll need to explicitly set all your cookies for www.example.com so that they won't be shared among subdomains

When looking at my www.example.com cookies (in firfox) which were set without specifying the domain, it shows the "host" as www.example.com but the "site" as example.com. It doesn't explicitly say what the "domain" is and these cookies aren't being included with the requests from static.example.com.

Thanks for your help. (If I should have posted two separate posts, let me know)

Solution

So after a long night, here is what I found:

In the end, I no longer have the session cookie showing up. In the end, I explicitly set the domain to www.example.com and the path to "/" for all cookies and once this was done (correctly), the cookie data is no longer in the request header for all file requests.

It might have worked without the domain being explicitly set. However, it was the most straightforward route and worked in the end.