I am working on an ASP.NET MVC4 project using SimpleMembership, which generates an ASPXAUTH cookie when you are logged in. It seems to be working just fine, but then today I opened up another MVC4 project, only to notice that I was already logged in.
This was extremely odd, because the new project literally does not have any users defined in the database. Even more disconcerting is when I hit "log out" on the new project, it logged me out of the original site.
Both sites are running on different ports, though both on localhost. When examining the Request to see why it is returning "IsAuthenticated == true", I noticed that the ASPXAUTH cookie is being sent to both sites, and the "domain" parameter of the cookie in the debugger is "null". This made me think that perhaps the cookie is being generated as a "domain-less" cookie (I have no idea if such a thing is even possible, to be honest!), and looked at the web.config setting to specify a domain:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" domain="http://localhost:56626" />
</authentication>
Unfortunately setting the "domain" parameter has made the cookie cease working. I've tried all permutations (with http, without http, with port, without port, etc) and every time I specify a domain, the browser receives the cookie with the properly specified domain name (I examined it in Chrome developer tools), but then fails to ever send it back to the server of subsequent requests.
So, I'm pretty confused about what is happening here. Is this a security leak that I've caused by not setting something up properly somewhere? Or is it perfectly normal behavior that an ASPXAUTH cookie will authorize a user on two totally different web apps on two different ports on the same domain? I would test this on a web host but unfortunately I don't have access to any that run MVC4 at the moment.
Thanks in advance.