Closed Bartmax closed 9 years ago
I'm afraid not, I've just cleared cookies or used different browsers, e.g. chrome/firefox or incognito sessions.
This causes a kind of meta security issue. Users that have access to both tenants will notice their identity is being shared. They won't be able to do anything, but they will still be logged in.
The solution lies in the CookieAuthenticationOptions, but I am still figuring out which property I should use to solve this.
The originally described problem was just in development on localhost, I'm not sure what you mean by a meta security issue. Any cookies created will be for the domain of the tenant.
@SamuelDebruyn I'm not working nor have access to the base code I used this, but I'm pretty sure that if you change the Name on CookieAuthenticationOptions will be enough.
As @JSkimming said, this is only problematic when 2 apps are on the same domain (aka localhost). more annoying while developing than a security issue.
@JSkimming, our tenants are all on the same domain. I properly described my problem here: http://stackoverflow.com/questions/29518092/variable-cookie-path-with-asp-net-identity
@Bartmax All our tenants are on the same domain.
I implemented your solution for multitenancy and found a different behavior from how the Membership did.
Let's say I have 2 sites, if I log into site 1, then to site 2, and go back to site 1 I got logged out.
So I can only be logged in on 1 site at once on localhost. This has no problem on different domains on production, but when developing in localhost its kinda annoying. Do you know of any way on how can I handle this scenario better ? something like creating a cookie for each tenant ?
Thank you, any idea or guidance will be really helpfull.