PHP - Subfolder or Subdomain

Question

I have a domain - say www.domainname.com.

I'm now putting in an Admin Page - to Administer operations that happen on the site.

I don't want to use another new domain name and CURL etc so I think I have these 2 choices:

 www.domainname.com/admin
 www.admin.domainname.com

Note: I won't use the name 'admin'.

Speak about security - is there a preference for either?

Note: I need to access the same DB without CURL and will use an SSL (not sure if this affects a subdomain at all).

Any Advice?

thx

Answer 1

There is a notable difference, in security terms, between the two. The reason is because of the impact of XSS attacks and cookie scoping.

If http://www.domainname.com/ were to have a cross-site scripting vulnerability, an attacker could steal the cookies of the users and perform additional attacks (keylogging, history snooping, redirection to phishing/attack sites).

Now, if the admin area of the site was hosted at http://www.domainname.com/admin/ then the admin users (and the admin functionality) could also be attacked through the XSS flaw in the user area.

However, if the admin area was hosted on a completely different domain such as http://admin.domainname.com, then because of javascript same-origin-policy and cookie scoping rules, the admin area cannot be attacked if there is a XSS flaw in the user area.

Please note that if you go for http://www.domainname.com/ and http://admin.domainname.com/, be sure to always serve the user area with the www. prefix. If you serve the user area of the site from http://domainname.com and allow the cookie scope to be .domainname.com then you will still be exposing admin area cookies to the user area of the site.

Answer 2

You can configure the httpd.conf file to access the admin part with ur desired domain...You can go with virtual host creation

Refer Virtual Host

Refer This as well Virtual Host Creation