cake-php@googlegroups.com
[Top] [All Lists]

Re: how to use ssl to secure subdomains of a cakephp app

Subject: Re: how to use ssl to secure subdomains of a cakephp app
From: Ryan Schmidt
Date: Sat, 25 Dec 2010 15:22:17 -0600
> On Dec 24, 2010, at 18:06, Zeu5 wrote:
> 
>> Do I
>> 
>> a)
>> create a separate subdomain such that all visitors to the different
>> subdomains are redirected to it?
>> 
>> eg, visitors at subdomain1.example.com or subdomain2.example.com will
>> ALL be directed to https://secure.example.com/orders/checkout when
>> they run the orders/checkout action

The problem with this is figuring out how to transfer session data that you've 
already started at subdomainx.example.com to secure.example.com. You could set 
the session domain to example.com; that may be the cleanest option, though this 
contradicts best practices for reducing cookie transmissions for resources that 
don't need them, i.e.:

http://developer.yahoo.com/performance/rules.html#cookie_free

An alternative is to try to pass the session ID via a URL parameter, but making 
this option available in your site probably decreases your site's security; 
there are reasons why PHP no longer defaults to propagating session IDs that 
way.

Another strategy to consider is just not using sessions on any of the 
subdomains at all. If you come to a point where you need to put data into the 
session, that's the time when you redirect to the secure hostname, and put all 
session data there to start with.


>> OR
>> 
>> b)
>> 
>> all the visitors at subdomain1.example.com are directed to
>> https://subdomain1.example.com/orders/checkout
>> 
>> all the visitors at subdomain2.example.com are directed to
>> https://subdomain2.example.com/orders/checkout

On Dec 24, 2010, at 19:17, Matt Murphy wrote:

> Unless you have a wildcart cert, you'll have to use method a.  Obviously, the 
> wildcard cert solution would be way sexier (enabling method b), but those 
> things are expensive.

Well, you either buy a wildcard SSL certificate that covers all the subdomains 
of your domain, or you buy an individual regular SSL certificate for each 
subdomain. One popular SSL certificate provider whose web site I just checked 
charges $60/yr for a regular SSL certificate that covers one subdomain, or 
$200/yr for a wildcard SSL certificate that covers unlimited subdomains on a 
domain. Clearly, at these prices, if you need to protect 4 or more subdomains, 
a wildcard SSL certificate is the cheaper option.

Wildcard SSL certificates are a newer feature, so they won't work with older 
browsers. Not sure what browsers fall under this definition of "older"; you'd 
have to research and see if you care about those browsers.



Check out the new CakePHP Questions site http://cakeqs.org and help others with 
their CakePHP related questions.

You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@xxxxxxxxxxxxxxxx
To unsubscribe from this group, send email to
cake-php+unsubscribe@xxxxxxxxxxxxxxxx For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en

<Prev in Thread] Current Thread [Next in Thread>