StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POSharing ASP.NET_SessionId and .ASPXAUTH cookie security risk
primarykey
Id
20064952
data
AcceptedAnswerId
20067086
AnswerCount
1
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2013-11-19T06:46:16.320
FavoriteCount
0
LastActivityDate
2013-11-19T08:57:04.317
LastEditDate
2013-11-19T06:55:26.307
LastEditorUserId
1200072
OwnerUserId
1200072
ParentId
0
PostTypeId
1
Score
4
ViewCount
1110
LastEditorDisplayName
text
Body
We're developing a SAAS solution for a big company in which doctors can view patients and make mutations, order products, provide licenses. This project is for 4 separate companies under one umbrella company. For each company we developed a portal. All portals use the same code but have a strict separated database because the database contains all the patient information. We're using Sitecore as CMS. The client decided to use virtual folders instead of subdomains for the production environment. Our staging evironment url is for example: acc-portal1.umbrella.com. For the production environment they would like a URL such as: acc.umbrella.com/portal1. One SSL certificate is being used for all portals and requests. We're using Membership Provider (forms authentication) for the authentication of users. Users can not log in with the same account in for example portal1 and portal3 because of the usage of separated databases. Because we're using formsauthentication the ".ASPXAUTH" cookie is being used. Of course the "ASP.NET_SessionId" cookie is used also. Because the client wants to use virtual folders instead of subdomains, the cookies are shared over all portals. It is possible to set the "path" on the node in web.config but this path is dynamically read by Sitecore and resolved in a pipeline. I did not find a way to override this path after it is being loaded in the web.config. Also I did not find a way to alter the ASP.NET_SessionId cookie path. My question is: is it a (security) risk to share these cookies over multiple portals (remember, they should be separated completely)? Are there any other problems this setup could cause? Hope somebody can help!
Tags
<asp.net><security><cookies><sitecore><session-cookies>
Title
Sharing ASP.NET_SessionId and .ASPXAUTH cookie security risk
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USydd1987
UserOwnerUserId
1. USydd1987
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POSharing ASP.NET_SessionId and .ASPXAUTH cookie security risk
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POSharing ASP.NET_SessionId and .ASPXAUTH cookie security risk
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POSharing ASP.NET_SessionId and .ASPXAUTH cookie security risk
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.