> On Dec 24, 2010, at 18:06, Zeu5 wrote:
>> Do I
>> create a separate subdomain such that all visitors to the different
>> subdomains are redirected to it?
>> eg, visitors at subdomain1.example.com or subdomain2.example.com will
>> ALL be directed to https://secure.example.com/orders/checkout when
>> they run the orders/checkout action
The problem with this is figuring out how to transfer session data that you've
already started at subdomainx.example.com to secure.example.com. You could set
the session domain to example.com; that may be the cleanest option, though this
contradicts best practices for reducing cookie transmissions for resources that
don't need them, i.e.:
An alternative is to try to pass the session ID via a URL parameter, but making
this option available in your site probably decreases your site's security;
there are reasons why PHP no longer defaults to propagating session IDs that
Another strategy to consider is just not using sessions on any of the
subdomains at all. If you come to a point where you need to put data into the
session, that's the time when you redirect to the secure hostname, and put all
session data there to start with.
>> all the visitors at subdomain1.example.com are directed to
>> all the visitors at subdomain2.example.com are directed to
On Dec 24, 2010, at 19:17, Matt Murphy wrote:
> Unless you have a wildcart cert, you'll have to use method a. Obviously, the
> wildcard cert solution would be way sexier (enabling method b), but those
> things are expensive.
Well, you either buy a wildcard SSL certificate that covers all the subdomains
of your domain, or you buy an individual regular SSL certificate for each
subdomain. One popular SSL certificate provider whose web site I just checked
charges $60/yr for a regular SSL certificate that covers one subdomain, or
$200/yr for a wildcard SSL certificate that covers unlimited subdomains on a
domain. Clearly, at these prices, if you need to protect 4 or more subdomains,
a wildcard SSL certificate is the cheaper option.
Wildcard SSL certificates are a newer feature, so they won't work with older
browsers. Not sure what browsers fall under this definition of "older"; you'd
have to research and see if you care about those browsers.
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
To post to this group, send email to cake-php@xxxxxxxxxxxxxxxx
To unsubscribe from this group, send email to
cake-php+unsubscribe@xxxxxxxxxxxxxxxx For more options, visit this group at