5
Today a certificate seller SSL informed me that my site.com.br/intranet
it’s not safe, what the right thing would be to do intranet.site.com.br
that’s true?
Does a sub-domain make any difference instead of a sub-folder?
5
Today a certificate seller SSL informed me that my site.com.br/intranet
it’s not safe, what the right thing would be to do intranet.site.com.br
that’s true?
Does a sub-domain make any difference instead of a sub-folder?
6
Not necessarily, seems to me a little exaggeration of it (and even lack of knowledge, or confusion of it).
If the site.com.br/intranet
page contains session cookies (or other session method) this data can be passed to the site.com.br
, but it is entirely possible to prevent this, for example with PHP it is possible to define the PATH of the session cookie.
The sub-domain does not share cookies from the main website and this would theoretically make it safer.
As I said is not totally right and not totally wrong, it varies from how your system was created to use a sub-folder does not really make insecure.
Of course he might have talked about something else I really don’t know
6
In some contexts yes. You can, for example, restrict a cookie to pt.stackoverflow.com
; then it will not appear if the user accesses stackoverflow.com
, which in this case obviously makes no difference, but prevents your intranet credentials from leaking to the site open to the public.
Another situation where the subdomain makes a difference is for AJAX: unless you explicitly authorize, the browser will not let you make a request for intranet.site.com.br
for site.com.br
or vice versa; this protects accidental leakage of information from your intranet to the public.
(Both of the above use cases are most relevant when you are a Tumblr or Github site, where a user can place any content in their subdomain - in the case of Github, on github.io
- but it never costs to put an extra layer of protection on your service.)
Browser other questions tagged security-guard http subdomain
You are not signed in. Login or sign up in order to post.
It depends, if your site only needs to access some subfolder (or if some users should be limited to only having access to that subfolder), subdomains help make this control better than subfolders, but it all depends on what you’re wanting to implement...
– Felipe Avelar