I have long read about "Use cookie-free domains" aka create a subdomain that can serve css, js, and images, all in 1 subdomain.
However 99% of our site is served via ssl, and ssl certificates can be expensive.
And so if we did this cookie-free subdomain, and to avoid that error that says "This page contains both secure and nonsecure items" error, we'd have to have ssl on the cookie-free subdomain.
Have any of you done similar things?
Would it really be worth the cost, to setup a 2nd ssl subdomain to host all the css, images, and javascript for all of our sites?
Thank you.
No.
If you use HTTPS, you can probably also use HTTP/2, which avoids re-sending cookies unnecessarily, so the problem goes away.
There's a significant cost of opening a new TLS connection to a domain for the first time, so the more domains you use, the more first-connection overhead you pay for.
Unless your cookies are very large or you have lots and lots of requests, then the cost of establishing an additional TLS connection is likely to be greater than the cost of sending cookies on an already-open connection.
BTW: when using HTTPS be sure to add an HTTP header that explicitly allows caching (e.g. Cache-Control:public, max-age=604800
), because otherwise browsers may not cache anything and waste bandwidth re-downloading files over and over again.