Kiaora Team,
I just discovered something interesting/important:
- Use a separate cookie name (using the name attribute of the <forms> element) and path for each Web application. This will ensure that users who are authenticated against one application are not treated as authenticated when using a second application hosted by the same Web Server.
- Building Secure ASP.NET Applications
- Patterns and Practices
So, this means that my web.config should look like this from now on:
<authentication mode="Forms">
<forms name="StanleyAuth"
path="/"
protection="Encryption">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Blessings,
James.
No comments:
Post a Comment