: Choosing which domain to secure We've got a website that is served on both www.example.com and just example.com - we've never done any sort of forcing users from one domain to the other, so
We've got a website that is served on both example.com and just example.com - we've never done any sort of forcing users from one domain to the other, so if they land on example.com then that's where they stay, and I'm guessing that of those who bookmark our pages they'd be about a 50/50 split (there was an issue earlier on where some of our material omitted the WWW and years later we're still noticing a traffic split).
We're now adding SSL. We're not forcing SSL until the user hits the login or register page. Which domain should we run our SSL on?
example.com example.com
secure.example.com
Something else?
I've done plenty of SSL sites before, but they were always designed with SSL in mind, and we always forced the www subdomain.
Are there pros and cons of doing it any of those ways? My primary concern is about the recognition of cookies, but seeing as we're forcing SSL on logon, the session cookie will be written on the SSL'd domain anyway. My primary concern is for people who might go to example.com when we're running the site on www.example.com, etc.
Another question would be, "Should I rewrite those who land on the non-www site to the WWW site?
More posts by @Murphy175
2 Comments
Sorted by latest first Latest Oldest Best
I usually go with secure.domain.com because it gives me more flexibility as far as administration. For instance, I can put that subdomain on another server, behind some better IDS/IPS gear and possibly attach it to a private network that I don't want the web servers touching.
Its a good place to park multi purpose things, such as:
secure.domain.com/checkout/
secure.domain.com/portal/
secure.domain.com/support/
... etc.
Personally I just use DigiCert's SSL Plus certificate with does with example.com and example.com. As in your other question, I would still send everyone to example.com because it makes life easier later on. Doing this now, will also give you the opportunity to use something like secure.example.com later on.
I usually add code to detect if users are running HTTP when they should be running HTTPS and redirect them. I find this usually only happens during login, but depending on the site, it could happen other times too.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.