We have a bunch of seperate microsites hosting book extras content all running in sub domains for a publishers website. Each site is secured is independantly secured with .net membership. A colleague of mine (Richard!) noticed after putting up the second site, that logging into one, also gave access to the other.
The fix was simple; Because cookies are domain-wide, the first auth cookie was being set, and then picked up by all the other sites on that domain. The fix, as detailed in the Microsoft Patterns and Practices Forms Authentication doc, is to just specify a distinct cookie name per application.
Use unique name and path attribute values on the
element as follows.<forms name="YourAppName" path="/FormsAuth" ... />
Related posts:
- ASP.net Roles and Membership installed to local SQL Express 2008 MDF file
- Linq Distinct!
- ASP.net aspx pages posting back to the wrong URL when using Server Rewrite
- ASP.Net Role & Membership Providers (Under IIS7) – DOESN’T Work!
- URL Routing with ASP.NET 4 Web Forms (VS 2010 and .NET 4.0 Series) – ScottGu’s Blog
