I work at a consulting shop where we work on multiple site every day, most of them running ASP.NET MVC 3. We're running these sites locally during development using IIS Express, so we see something like "http://localhost:1234" for every site.
We're using forms authentication on all these sites, and we're seeing something odd when switching from one site to another. When I'm logged in to site A, and begin to browse site B, the HttpContext.Current.User property when debugging si开发者_开发知识库te B has the value we set it to from site A.
This only seems to happen on MVC sites. When I run a WebForms site on the same machine under IIS Express, HttpContext.Current.User is equal to a GenericPrincipal object. In other words, all Web Forms site seem to be isolated as far as authentication goes. What is different about MVC that makes these sites pick up on each other's auth information?
The name of the authentication cookie is probably the same for all sites and if they are all hosted on the same domain this cookie will be sent along each request. By default the cookie name is .ASPXAUTH
. Thus if you are authenticated on Site A you will be automatically authenticated on Site B. The name of the cookie is defined in the forms
section in web.config
:
<forms loginUrl="~/Account/LogOn" timeout="2880" name="someCookieName" />
So try specifying different authentication cookie name for your sites.
精彩评论