I just discovered something interesting/important:
- Use a separate cookie name (using the name attribute of the <forms> element) and path for each Web application. This will ensure that users who are authenticated against one application are not treated as authenticated when using a second application hosted by the same Web Server.
- Building Secure ASP.NET Applications
- Patterns and Practices
So, this means that my web.config should look like this from now on: