Recently my company added a second domain companyname.com in addition to www.companyname.com. We also recently started seeing some odd security issues within our site and I was wondering if they might be related.
In particular, it seems like sometimes people lose their roles while on the site. So, for example, they are able to navigate to a page (which is secured), but then one or more of the secured pie开发者_开发百科ces of the page that they are validated for will act like they don't have some of the roles I know they have.
Is it possible that somehow the two domains are interfering with the cookies/validation of the other one and causing the security framework to return no roles? If so, is there any way to correct this behavior?
We are using out of the box Forms authentication.
By default the token stored in the cookie goes with the domain of your site. You'll need to set it to be consistent, otherwise it won't be shared: FormsAuthentication.CookieDomain property
Set it to yourcompany.com, and it should be fine. I believe you can change this value in the web.config, so you shouldn't need to rebuild your app.
精彩评论