Today an SSL certificate vendor informed me that my site.com.br/intranet is not secure, that the correct would be intranet.site.com.br is this true?
Does it make any difference to a sub-domain instead of a sub-folder?
Make a sub-domain or create a sub-folder?
5
asked by anonymous 22.06.2015 / 20:56
2 answers
6
Not necessarily, it seems a little overkill of it (and even lack of knowledge, or confusion of it).
What is unsafe
If thesite.com.br/intranet page contains session cookies (or other session method) this data can be passed to site.com.br , however it is totally possible to prevent this, for example with PHP it is possible to define the cookie PATH of session.
Why use a sub-domain
The subdomain does not share cookies from the main site and this would theoretically make it more secure.
As I said is not totally right and not totally wrong, it varies from how your system was created to use a sub-folder does not really make it insecure.
Of course he may have talked about something else that I really do not know
22.06.2015 / 21:02
6
In some contexts, yes. You can, for example, restrict a cookie to pt.stackoverflow.com ; then it will not appear if the user accesses stackoverflow.com , which in this case obviously does not make a difference, but prevents your intranet credentials from leaking to the site open to the public.
Another situation in which the subdomain makes a difference is for AJAX: unless you explicitly authorize, the browser will not let you make a request from intranet.site.com.br to site.com.br or vice versa; this protects the accidental leak of information from your intranet to the public.
(Both of the above use cases are most relevant when you are a Tumblr or GitHub site, where a user can put any content in his subdomain - in the case of GitHub, in github.io - but it never hurts to put a layer of protection in your service.)
22.06.2015 / 21:03