The skinny on cookies

August 21, 2009 1:56 pm | 4 Comments

I just finished Eric Lawrence’s post on Internet Explorer Cookie Internals. Eric works on the IE team as well as owning Fiddler. Everything he writes is worth reading. In this article he answers FAQs about how IE handles cookies, for example:

  • If I don’t specify a leading dot when setting the DOMAIN attribute, IE doesn’t care?
  • If I don’t specify a DOMAIN attribute when [setting] a cookie, IE sends it to all nested subdomains anyway?
  • How many cookies will Internet Explorer maintain for each site?

Another cookie issue is the effect extremely large cookies have on your web server. For example, Apache will fail if it receives a cookie header that exceeds 8190 bytes (as set by the LimitRequestLine directive). 8K seems huge! But remember, all the cookies for a particular web page are sent in one Cookie: header. So 8K is a hard limit for the total size of cookies. I wrote a test page that demonstrates the problem.

Keep your cookies small – it’s good for performance as well as uptime.

4 Comments

OSCON and Page Responsiveness videos

August 15, 2009 5:01 pm | 1 Comment

I had a great time at OSCON a few weeks back. It was in San Jose this year. (Pro: I don’t have to travel and my wife can go to the parties. Con: I miss Portland.) Just as I wrote about last year, Gregg Pollack was there asking speakers to summarize their talks in 30 seconds. He published the results in the video series 5 Days of OSCON. I’m in the video for Day 3.

Gregg also pointed me to his Page Responsiveness webcast/video, where he talks about YSlow and the Google Ajax Libraries API. I really like this video. It’s informative, engaging, and short. They remind me of Aza Raskin’s webcasts on Ubiquity and Jetpack. These two guys are very talented in how they convey complex information in a hands-on way. I encourage you to take a look.

1 Comment

F5 and XHR deep dive

August 11, 2009 1:31 pm | 13 Comments

In Ajax Caching: Two Important Facts from the HttpWatch blog, the author points out that:

…any Ajax derived content in IE is never updated before its expiration date – even if you use a forced refresh (Ctrl+F5). The only way to ensure you get an update is to manually remove the content from the cache.

I found this hard to believe, but it’s true. If you hit Reload (F5), IE will re-request all the unexpired resources in the page, except for XHRs. This can certainly cause confusion for developers during testing, but I wondered if there were other issues. What was the behavior in other major browsers? What if the expiration date was in the past, or there was no Expires header? Did adding Cache-Control max-age (which overrides Expires) have any effect?

So I created my own Ajax Caching test page.

My test page contains an image, an external script, and an XMLHttpRequest. The expiration time that is used depends on which link is selected.

  • Expires in the Past adds an Expires response header with a date 30 days in the past, and a Cache-Control header with a max-age value of 0.
  • no Expires does not return any Expires nor Cache-Control headers.
  • Expires in the Future adds an Expires response header with a date 30 days in the future, and a Cache-Control header with a max-age value of 2592000 seconds.

The test is simple: click on a link (e.g., Expires in the Past), wait for it to load, and then hit F5. Table 1 shows the results of testing this page on major browsers. The result recorded in the table is whether the XHR was re-requested or read from cache, and if it was re-requested what was the HTTP status code.

Table 1. When XHR is cached, what happens when you hit F5?
Past Expires No Expires Future Expires
Chrome 2 304 304 304
Firefox 3.5 304 304 304
IE 7 304 cache cache
IE 8 304 cache cache
Opera 10 304 cache 304
Safari 4 200 200 200

Here’s my summary of what happens when F5 is hit:

  • All browsers re-request the image and external script. (This makes sense.)
  • All browsers re-request the XHR if the expiration date is in the past. (This makes sense – the browser knows the cached XHR is expired.)
  • The only variant behavior has to do with the XHR when there is no Expires or a future Expires. IE 7&8 do not re-request the XHR when there is no Expires or a future Expires, even if control-F5 is hit. Opera 10 does not re-request the XHR when there is no Expires. (I couldn’t find an equivalent for control-F5 in Opera.)
  • Both Opera 10 and Safari 4 re-request the favicon.ico in all situations. (This seems wasteful.)
  • Safari 4 does not send an If-Modified-Since request header in all situations. As a result, the response is a 200 status code and includes the entire contents of the original response. This is true for the XHR as well as the image and external script. (This seems wasteful and deviates from the other browsers.)

Takeaways

Here are my recommendations on what web developers and browser vendors should takeaway from these results:

  1. Developers should either set a past or future expiration date on their XHRs, and avoid the ambiguity and variant behavior when no expiration is specified.
  2. If XHR responses should not be cached, developers should assign them an expiration date in the past.
  3. If XHR responses should be cached, developers should assign them an expiration date in the future. When testing in IE 7&8, developers have to remember to clear their cache when testing the behavior of Reload (F5).
  4. IE should re-request the XHR when F5 is hit.
  5. Opera and Safari should stop re-requesting favicon.ico when F5 is hit.
  6. Safari should send If-Modified-Since when F5 is hit.

13 Comments