by ghosh on 10/2/20, 7:49 AM with 1 comments
by dmlittle on 10/4/20, 5:38 AM
From a security point of view scoping your cookies to a sub-domain means that other services in other subdomains might not have access to them (depending on how you set them). If you store the cookies at abc.com then any subdomain will have access to the cookies stored in abc.com and you might not want that. As an aside, cookie security is one the reason why companies usually have a separate domain for user-submitted assets/media.
You have separate services for your e-commerce platform and your main marketing website and you host them in separate domains. This is why sometimes you see abc.com and dashboard.abc.com or app.abc.com. This is not a technical limitation as you could do have path-based routing to each individual service but if you don't already have that functionality hosting each service in each domain is easier/simpler.
(A combination of the 2 above) Your marketing website might be hosted by a third-party website builder and since you don't fully control what they serve you want to make sure that cookies by your platform aren't accessible to the third-party vendor. If you're proxying the requests you can strip the cookies but that's a pain that might not be worth introducing if you're OK with having separate domains.
You like having separate subdomains because it makes it seem more "professional" ¯\_(ツ)_/¯
You don't want the SEO of one service to bundled with the other.