Cookieless fake CDNs for Drupal

How to set up a cookieless fake CDN domain for static assets in Drupal for better performance.

So you want your Drupal site perform as fast as possible and you have set up the CDN module and patched imagecache and everything is working fine. Then you realize that any asynchronously generated asset—images, compressed stylesheets, etc—will send a session cookie to your visitors.

The very promising Advanced CSS/JS Aggregation and ImageCache both handle requests in a unique way: if the requested resource is not generated yet, the request runs through Drupal, creates the resource and place it in the path exactly where the request points to. This way, subsequent requests do not need to go through Drupal and PHP again, they can be served as a static resource.

However since the first request runs through Drupal, it will start a session (Drupal 6 by default starts sessions for anonymous users) This is okay if you use a single domain to serve files from. Things get annoying when you start using alternate host names to speed up page loading times, and you realize that these precious alternate host names start sending out session cookies to your visitors, and you are basically doubling (or with 3 cname domains, that is quadrupling) your session rows if a visitor happens to hit a static resource for the first time.

CDNs - even if they are just fake CNAME records pointing to the same webroot - should operate cookieless to keep the http request headers as short as possible for subsequent requests.

One could eliminate anonymous sessions easily from the entire site, but that might not be your cup of tea because anonymous sessions are needed so much say on an Ubercart site to track cart contents.

My solution is to use an alternate session handler which in fact does not handle sessions at all. Configure this session handler to be fired only at your cdn domains and you’re set to go.

A fake session handler

This session handler throws away everything and makes sure that nothing gets saved.

 * @file
 * Fake session handling functions for CDNs.

function sess_open($save_path, $session_name) {
  return TRUE;

function sess_close() {
  return TRUE;

function sess_read($key) {
  global $user;

  ini_set('session.use_cookies', 0);
  $user = drupal_anonymous_user();
  return '';

function sess_write($key, $value) {
  return TRUE;

function sess_count($timestamp = 0, $anonymous = true) {
  return 0;

function sess_destroy_sid($sid) {
  return TRUE;

function sess_gc($lifetime) {
  return TRUE;

function session_save_session($status = NULL) {
  return NULL;

Save it as within your Drupal root somewhere, preferably to sites/default or sites/all

Modify settings

Add the following to your settings.php:

// Never let a fake CDN domain send cookies (imagecache, advagg, etc.)
$cdns = array(
if (in_array($_SERVER['HTTP_HOST'], $cdns)) {
  $conf['session_inc'] = './path/to/';

That’s it, from now on if a static resource is requested for the first time and needs to be generated via Drupal, it will use the fake session handler and will not send any cookies at all. Phew.

Last updated on by Attila