security when hosting multiple blogs

Nov 1, 2007 at 10:28 PM
Edited Nov 1, 2007 at 10:31 PM
I have several blogs being hosted on my web server. Each blog is in its own physical folder on my webserver (in a folder called blog) and each folder is a virtual directory in IIS under my blog.example.com website. Each user's blog can be accessed by going to http://blog.example.com/username/. The problem I have is when I log into my test blog http://blog.example.com/test/ as admin/admin I can type http://blog.example.com/bobjones and I'm still an admin under his page. I can go into the users section under his blog and I know that the original admin/admin user is deleted. I've checked the users.xml file and admin wasn't there. I checked the roles.xml and did see admin there so I deleted both instances under Administrator and Editor. I was still able to have administrative access to any blog I navigated to. Any ideas on how to resolve this? I think it may be a cookie issue but I know nothing about cookies.
Nov 2, 2007 at 5:52 PM
I was messing around with the Web.config file and saw the section on authentication:
<authentication mode="Forms">
<forms timeout="129600" name=".AUXBLOGENGINE" protection="All" slidingExpiration="true" loginUrl="~/login.aspx" cookieless="UseCookies" />
</authentication>

I renamed .AUXBLOGENGINE to something unique on each folder's web.config file and everytime I switched to another blog I was no longer an "unauthorized administrator".