> On Dec 24, 2010, at 18:06, Zeu5 wrote: > >> Do I >> >> a) >> create a separate subdomain such that all visitors to the different >> subdomains are redirected to it? >> >> eg, visitors at subdomain1.example.com or subdomain2.example.com will >> ALL be directed to https://secure.example.com/orders/checkout when >> they run the orders/checkout action
The problem with this is figuring out how to transfer session data that you've already started at subdomainx.example.com to secure.example.com. You could set the session domain to example.com; that may be the cleanest option, though this contradicts best practices for reducing cookie transmissions for resources that don't need them, i.e.: http://developer.yahoo.com/performance/rules.html#cookie_free An alternative is to try to pass the session ID via a URL parameter, but making this option available in your site probably decreases your site's security; there are reasons why PHP no longer defaults to propagating session IDs that way. Another strategy to consider is just not using sessions on any of the subdomains at all. If you come to a point where you need to put data into the session, that's the time when you redirect to the secure hostname, and put all session data there to start with. >> OR >> >> b) >> >> all the visitors at subdomain1.example.com are directed to >> https://subdomain1.example.com/orders/checkout >> >> all the visitors at subdomain2.example.com are directed to >> https://subdomain2.example.com/orders/checkout On Dec 24, 2010, at 19:17, Matt Murphy wrote: > Unless you have a wildcart cert, you'll have to use method a. Obviously, the > wildcard cert solution would be way sexier (enabling method b), but those > things are expensive. Well, you either buy a wildcard SSL certificate that covers all the subdomains of your domain, or you buy an individual regular SSL certificate for each subdomain. One popular SSL certificate provider whose web site I just checked charges $60/yr for a regular SSL certificate that covers one subdomain, or $200/yr for a wildcard SSL certificate that covers unlimited subdomains on a domain. Clearly, at these prices, if you need to protect 4 or more subdomains, a wildcard SSL certificate is the cheaper option. Wildcard SSL certificates are a newer feature, so they won't work with older browsers. Not sure what browsers fall under this definition of "older"; you'd have to research and see if you care about those browsers. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
