11

We've got a website that is served on both www.example.com and just example.com - we've never done any sort of forcing users from one domain to the other, so if they land on example.com then that's where they stay, and I'm guessing that of those who bookmark our pages they'd be about a 50/50 split (there was an issue earlier on where some of our material omitted the WWW and years later we're still noticing a traffic split).

We're now adding SSL. We're not forcing SSL until the user hits the login or register page. Which domain should we run our SSL on?

  • www.example.com
  • example.com
  • secure.example.com
  • Something else?

I've done plenty of SSL sites before, but they were always designed with SSL in mind, and we always forced the www subdomain.

Are there pros and cons of doing it any of those ways? My primary concern is about the recognition of cookies, but seeing as we're forcing SSL on logon, the session cookie will be written on the SSL'd domain anyway. My primary concern is for people who might go to https://example.com when we're running the site on https://www.example.com, etc.

Another question would be, "Should I rewrite those who land on the non-www site to the WWW site?

Simon Hayter
  • 33,097
  • 7
  • 60
  • 119
Mark Henderson
  • 4,994
  • 2
  • 29
  • 43

2 Answers2

6

I usually go with secure.domain.com because it gives me more flexibility as far as administration. For instance, I can put that subdomain on another server, behind some better IDS/IPS gear and possibly attach it to a private network that I don't want the web servers touching.

Its a good place to park multi purpose things, such as:

  • secure.domain.com/checkout/
  • secure.domain.com/portal/
  • secure.domain.com/support/

... etc.

Tim Post
  • 6,586
  • 39
  • 46
3

Personally I just use DigiCert's SSL Plus certificate with does with example.com and www.example.com. As in your other question, I would still send everyone to www.example.com because it makes life easier later on. Doing this now, will also give you the opportunity to use something like secure.example.com later on.

I usually add code to detect if users are running HTTP when they should be running HTTPS and redirect them. I find this usually only happens during login, but depending on the site, it could happen other times too.

Darryl Hein
  • 1,237
  • 8
  • 14