Hi Ryan, happy holidays!
I have 3 questions. 2 are follow ups on your excellent replies. > The problem with this is figuring out how to transfer session data that > you've already started at subdomainx.example.com to secure.example.com. You > could set the session domain to example.com; that may be the cleanest option, > though this contradicts best practices for reducing cookie transmissions for > resources that don't need them, i.e.: > > http://developer.yahoo.com/performance/rules.html#cookie_free > > Another strategy to consider is just not using sessions on any of the > subdomains at all. If you come to a point where you need to put data into the > session, that's the time when you redirect to the secure hostname, and put > all session data there to start with. > 1) Thank you Ryan. I never thought there would be a good reason to have www.example.com and should just settle for example.com for the main site. Reading about the cookie-free rule leads me to understand this benefit. I also did not realise about the session transfer. For my implementation, www.example.com or example.com is just merely the basic signup page. whereas subdomain1.example.com, subdomain2.example.com, subdomain3.example.com, etc are standalone websites belonging to each user in my app. Right now i have 2 `app` folders in my cakephp project. the first `app` folder `subdomains` is for handling all the subdomains. ie those standalone websites. the second `app` folder called `main` is for handling the main domain. ie registration. (i may have future features like offering free themes in themes.example.com in future. These functions/features would be handled by this `main` folder) Clearly I want the various subdomains to be treated like separate websites as that is the purpose of the cakephp app. How do i achieve that? I am currently using database sessions in both `app` folders in my cakephp project. in my `subdomains` folder, in my app_controller beforeFilter function, i have already configured the cookie to be something like this $this->Cookie->name = Domain::get('Domain.subdomain'); $this->Cookie->time = '365 days'; $this->Cookie->key = '12345' . $domainId; Will this ensure that visitors to different subdomains have different cookies to different subdomains? Not sure how to do the same for session though. > Well, you either buy a wildcard SSL certificate that covers all the > subdomains of your domain, or you buy an individual regular SSL certificate > for each subdomain. One popular SSL certificate provider whose web site I > just checked charges $60/yr for a regular SSL certificate that covers one > subdomain, or $200/yr for a wildcard SSL certificate that covers unlimited > subdomains on a domain. Clearly, at these prices, if you need to protect 4 or > more subdomains, a wildcard SSL certificate is the cheaper option. 2) I found one that is 499/yr from GeoTrust/Equifax. Would love to hear which one is 200/yr. Is it GoDaddy? Think i am going to need a wildcard cert, because i intend to ssl secure the admin backend for users and that would mean something like https://subdomain.example.com/admin I also noticed that there is a difference between certs that verify the domain and certs that verify both domain and organizations. Would both have the same green indicator on modern browsers like chrome, firefox and IE? I just want one where the browsers would give a green indicator, whichever is cheaper. I am thinking both functionally are the same, just that the latter has an extra layer of authentication on the organization. Brand new question 3) because i allow my users to use domains they have registered themselves, http://subdomain1.example.com could easily become http://www.userowndomain.com Clearly i want to ssl secure transactions related pages like orders/ checkout. so if a visitor to http://www.userowndomain.com and goes to the orders/ checkout action, i would direct them to https://subdomain1.example.com/orders/checkout Implementation wise, this should not be a problem. The problem i am facing is the session/cookie issue. What are your thoughts? I am inclined towards your 2nd strategy of > Another strategy to consider is just not using sessions on any of the > subdomains at all. If you come to a point where you need to put data into the > session, that's the time when you redirect to the secure hostname, and put > all session data there to start with. A rough example to see how this would work using cakephp would be much much appreciated. Thank you. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
