Multiple sites security

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
6/4/2007 9:02:05 AM
Gravatar
Total Posts 488

Multiple sites security

1. Create additional folder-based site.

2. Set some path (for example, /xxx) to the new site.

3. Go to /xxx/default.aspx

4. Log in as admin

5. Go to admin menu -> pages and delete all the pages

6. You are admin on the main site. And cannot open the /xxx site any more.

6/5/2007 1:48:10 PM
Gravatar
Total Posts 18439

Re: Multiple sites security

If you keep going and delete all the pages in the first site it might not work right either.

Using the folder based multi sites feature you must keep in mind that unlike when you use different host names, once you are logged into either site, IIS thinks you are logged in to all the sites because they all have the same domain and they all have the same authentication ticket issued by IIS and they share the same physical cookie file on the client machine. In .NET code we can detect whether you are logged into 1 site or both sites because we store an extra cookie with the site guid when you authenticate and use a custom identity object to check the extra cookie(s). Also we can name our role cookie based on the site so they don't get mixed up across sites.

When you login to the root site as admin then log into the second site as admin, then for whatever reason you find yourself back at the root site you are still logged in as admin. If you have different user names in each site then logging into 1 site will log you out of the other site.

When using host names you have completely separate physical cookie files for each site so you can be logged into each one at the same time with different user names.

Joe

 

6/6/2007 4:37:24 AM
Gravatar
Total Posts 488

Re: Multiple sites security

Thanks for the technical description.

But:

1. Maybe add some static "this site has no pages" page (like "acess denied" page) and display it in this case?

2. Now I have 3 sites on my dev: root, /customer and /manager. In all the cases logins on the sites seem to be independent.

But in the scenario described I was not logged in to the root site! I just logged in to /x site and removed all the pages - and became an admin on the root one!

6/23/2007 10:33:18 AM
Gravatar
Total Posts 488

Multiple sites security

Thanks for the improvement!

You must sign in to post in the forums. This thread is closed to new posts.