2

I'm building the frontend marketing website for a web application. The frontend is WordPress on one server and the app is on another. We will set a cookie for users who are already customers. For returning customers, when they go to www.company.com, they should go to the web app. For new visitors without the cookie, when they go to to www.company.com, they should go to the WordPress site. How do I do this?

The web app is probably on nginx, but possibly apache. The WordPress will probably be on apache. I'm wondering if I use DNS, nginx, htaccess, or PHP to determine how to send visitors to one server vs. the other.

Joe Fletcher
  • 123
  • 5
  • I guess using php or some other scripting language to catch all requests, read the cookie, and redirect to either would be the simplest solution. You could also proxy the sites but I guess you're likely to run into all sorts of problems. I wouldn't go for your idea. Running them side by side for a while with different URL's would save your customers quite some confusion! – Louis Somers Oct 08 '12 at 23:05
  • 1
    You are approaching this problem from a software perspective (i.e. a cookie) rather than using standard infrastructure to handle the request. – Brent Pabst Oct 09 '12 at 13:28

2 Answers2

1

Typically, the web server would front the application. The application would exist on a path different from the site root, for instance http://www.example.com/app. It is also possible to use a different domain name for the application. This provides some isolation of the application from the Internet. The web server can also serve up static content for the application such as graphic, javascript, and CSS files.

WordPress on Apache handles this quite well. I have a variety of non-WordPress content in paths mixed with a WordPress site.

Consider using the Apache security plugins to edit the requests being passed back to the application. It is also a good idea to limit the URLS being passed back to the application.

BillThor
  • 27,737
  • 3
  • 37
  • 69
1

In general using cookies to store things like this is a BAD idea. What if your users don't allow cookies or they clear them? Do they have to know or will they have an idea as to where they should go to access your application?

The better solution is this:

  1. Setup two different DNS entries, one for WWW.mycompany.com and another for MYAPP.mycompany.com.
  2. On your primary website (www) include a quick and easy link on the page to redirect to the application.

Users who are "smart" will bookmark the applications login page once they get there if they really want to remember it. It simply doesn't make sense to try and handle this sort of logic and validation on your end since you can never be 100% sure is and who is not a customer of yours.

Brent Pabst
  • 6,069
  • 2
  • 24
  • 36
  • "What if your users don't allow cookies […]?" — what's your estimate of such a probability, BTW? How many sites you see nowadays which would work just fine w/o using cookies? As to me, it's not an argument at all. – poige Oct 09 '12 at 15:23
  • From a [simple web search](http://smorgasbork.com/component/content/article/84-a-study-of-internet-users-cookie-and-javascript-settings) that number is about 10% that disable cookies and/or JS. The point of modern web design is to be unobtrusive, this design by the OP is OBTRUSIVE! – Brent Pabst Oct 09 '12 at 15:35
  • I wouldn't care. Those who turn cookies off should know what they're doing. – poige Oct 09 '12 at 15:56
  • Those who don't have cookies set would expect to re-login anyway, so at 10%, that is a pretty minor issue, so the cookie approach is fine. – Joe Fletcher Oct 09 '12 at 16:54
  • There's a difference between a persistent logon token and a cookie to simply handle redirection. You didn't mention any of that in your initial post. If that's the case there should be NO way for your front-end to decipher or read that cookie as only your application should have the proper encryption key to then read the token. – Brent Pabst Oct 09 '12 at 17:21
  • Sorry, I just realized I didn't mention that. There is a presistent logon cookie. I'm not saying my frontend needs to read it. All I'm saying is: if logged on user (based on cookie) goes to www.company.com, they go to the app, e.g., www.company.com/myapp. If they are not logged in, www.company.com is the homepage and they can peruse the entire WordPress site. Is there a way to do this? – Joe Fletcher Oct 09 '12 at 17:24
  • The question is where does the validation of that cookie happen? If it is at the front-end server then yes, you need to add logic at the front-end to read the token and redirect accordingly. If you don't validate until you get to the application you simply need to check for the existence of that cookie. The problem you run into here is that the application that issued the cookie will not be the application that checks for the same cookie which may cause some issues with certain browsers as that is restricted for security reasons. There's really no way to do this cleanly, hence my answer. – Brent Pabst Oct 09 '12 at 17:28
  • Ok, so let me see if I get this correctly. User comes to www.company.com. The homepage reads the cookie if it exists and redirects to /myapp. Correct? I see your point about the different application creating vs. reading. If there's a better way, I'm open to it, but I haven't seen or understood what that way is yet, hence my original question, how do I do that? DNS? htaccess? etc. – Joe Fletcher Oct 09 '12 at 17:40
  • That's one way, the other is manual, the user clicks on a button on your homepage that says `logon` and the token would instantly be read and they would be logged on, it also gets them in the habit of going directly to the app in the future. – Brent Pabst Oct 09 '12 at 17:41