Multiple BlogEngine Virtual Directories on the same domain

Dec 8, 2009 at 8:13 PM


I have set up a few BlogEngine blogs for a few of my friends.

As I wanted these under just one domain I have each BlogEngine installation configured as a virtual directory in IIS i.e.

My friend noticed today that when logging into his own blog and navigating to mine he appeared to be logged in and could access the administration menu.

I can confirm this is the case and is most likely due to the authentication cookie being set for the entire domain.

Is there a preferred way of sorting this in BlogEngine? I know I can set the path setting for forms authentication in web.config and this would set the cookie url appropriately. However, this would allow any person who has access to web.config to change this back to root and have administrator access to all the blogs on the domain.


Dec 8, 2009 at 10:02 PM

Making the change you mentioned in the web.config file is what I would recommend.

If someone has direct access to the web.config file, that means they also have direct access to the data in App_Data along with all the files/pages on the web server.  A person with this control could do many things (good or bad).  Even without touching the web.config file, they could add an ASPX page that they could go to in their browser and it would automatically log them in, without any password.  So in short, only trusted people should have access to the file system.