Make a sub-domain or create a sub-folder?

5

Today an SSL certificate vendor informed me that my site.com.br/intranet is not secure, that the correct would be intranet.site.com.br is this true?

Does it make any difference to a sub-domain instead of a sub-folder?

    
asked by anonymous 22.06.2015 / 20:56

2 answers

6

Not necessarily, it seems a little overkill of it (and even lack of knowledge, or confusion of it).

What is unsafe

If the site.com.br/intranet page contains session cookies (or other session method) this data can be passed to site.com.br , however it is totally possible to prevent this, for example with PHP it is possible to define the cookie PATH of session.

Why use a sub-domain

The subdomain does not share cookies from the main site and this would theoretically make it more secure.

As I said is not totally right and not totally wrong, it varies from how your system was created to use a sub-folder does not really make it insecure.

  

Of course he may have talked about something else that I really do not know

    
22.06.2015 / 21:02
6

In some contexts, yes. You can, for example, restrict a cookie to pt.stackoverflow.com ; then it will not appear if the user accesses stackoverflow.com , which in this case obviously does not make a difference, but prevents your intranet credentials from leaking to the site open to the public.

Another situation in which the subdomain makes a difference is for AJAX: unless you explicitly authorize, the browser will not let you make a request from intranet.site.com.br to site.com.br or vice versa; this protects the accidental leak of information from your intranet to the public.

(Both of the above use cases are most relevant when you are a Tumblr or GitHub site, where a user can put any content in his subdomain - in the case of GitHub, in github.io - but it never hurts to put a layer of protection in your service.)

    
22.06.2015 / 21:03