Today an SSL certificate vendor informed me that my site.com.br/intranet
is not secure, that the correct would be intranet.site.com.br
is this true?
Does it make any difference to a sub-domain instead of a sub-folder?
Today an SSL certificate vendor informed me that my site.com.br/intranet
is not secure, that the correct would be intranet.site.com.br
is this true?
Does it make any difference to a sub-domain instead of a sub-folder?
Not necessarily, it seems a little overkill of it (and even lack of knowledge, or confusion of it).
site.com.br/intranet
page contains session cookies (or other session method) this data can be passed to site.com.br
, however it is totally possible to prevent this, for example with PHP it is possible to define the cookie PATH of session.
The subdomain does not share cookies from the main site and this would theoretically make it more secure.
As I said is not totally right and not totally wrong, it varies from how your system was created to use a sub-folder does not really make it insecure.
Of course he may have talked about something else that I really do not know
In some contexts, yes. You can, for example, restrict a cookie to pt.stackoverflow.com
; then it will not appear if the user accesses stackoverflow.com
, which in this case obviously does not make a difference, but prevents your intranet credentials from leaking to the site open to the public.
Another situation in which the subdomain makes a difference is for AJAX: unless you explicitly authorize, the browser will not let you make a request from intranet.site.com.br
to site.com.br
or vice versa; this protects the accidental leak of information from your intranet to the public.
(Both of the above use cases are most relevant when you are a Tumblr or GitHub site, where a user can put any content in his subdomain - in the case of GitHub, in github.io
- but it never hurts to put a layer of protection in your service.)