Initially I thought this was a security hole on the Session Details page before I twigged that the URLs were different (the direct URL to a session included the www., whereas my typed URLs did not). If I go to http://dddeastanglia.com/, I am not logged in; if I go to http://www.dddeastanglia.com/Session/Details/3136, I am logged in as me and can do everything I can do when I am logged in, such as viewing the admin area, edit my profile, and navigate around the site while remaining logged in.
Perhaps the easiest fix for this is to redirect every, via IIS config or within the app, to one or other of the hostnames so it is always the same.
Initially I thought this was a security hole on the Session Details page before I twigged that the URLs were different (the direct URL to a session included the
www., whereas my typed URLs did not). If I go to http://dddeastanglia.com/, I am not logged in; if I go to http://www.dddeastanglia.com/Session/Details/3136, I am logged in as me and can do everything I can do when I am logged in, such as viewing the admin area, edit my profile, and navigate around the site while remaining logged in.Perhaps the easiest fix for this is to redirect every, via IIS config or within the app, to one or other of the hostnames so it is always the same.
Does any of that make sense? :smile: