Last post Jul 02, 2014 06:31 AM by davidrobin
Jun 23, 2014 09:20 AM|davidrobin|LINK
Using VS2010 I created an MVC4 web application that uses simplemembership for forms authentication. On the log in form is a Remember Me check box which when ticked persists the authentication cookie (Standard AccountController code from Internet Application
So at this stage I have remembered my authentication when logging in to this first application.
Now I have created a second application in VS2010, again an Internet application template with SimpleMembership. When I run this second application I am authenticated straight away, from the log in credentials entered in the first application. In my view
Request.IsAuthenticated = true and User.Identity.Name is the username from the other app.
This seems really insecure. Does this have anything to do with:
Jun 23, 2014 09:41 AM|AidyF|LINK
It's cookie based so if the two sites are on the same domain they'll share each other's cookies.
Jun 23, 2014 09:49 AM|davidrobin|LINK
So does having 2 sites on localhost with different port numbers
constitute the same domain?
Are there any additional config settings I can put in place (cookie names etc) to make the authentication more unique?
Jun 23, 2014 10:04 AM|AidyF|LINK
The port is part of the "domain" so it should have two different cookies for each of those sites. It might be worth looking at the cookie tools of the browser to get a better idea of what is going on.
Jun 23, 2014 10:52 AM|davidrobin|LINK
I was sure the port would make the domain unique, but because of what is happening I started to doubt what I knew.
Now, according to the Chrome Dev tools (Resources menu, Cookies (Right Men)) the domain is localhost. No mention of the port which to me still leaves some doubt.
I will have to set up the 2 sites in IIS (like they will be for production) an see it I get the same result.
Jul 02, 2014 06:31 AM|davidrobin|LINK
For anyone finding this question the issue seems to be resolved by adding a domain attribute to the forms element in the config file
<forms loginUrl="~/Account/Login" timeout="2880" enableCrossAppRedirects="false" domain=".mydomain.com" />