This project is read-only.

Multiples blogs & Admin becomes Admin on all

Topics: ASP.NET 2.0
Jan 11, 2008 at 12:54 PM
I set up several blogs in one server as follows..

http://mywebserver/blogs/UserA - UserA is the only user in this blog and has Administrator rights.
http://mywebserver/blogs/UserB - UserB is the only user in this blog and has Administrator rights.
http://mywebserver/blogs/UserC - UserC is the only user in this blog and has Administrator rights.

Then the problem:

UserA logs into http://mywebserver/blogs/UserA, and then navigates to http://mywebserver/blogs/UserB.

UserA now has Administrator rights on /blogs/UserB, even though UserA is not a registered user at /blogs/UserB.

Nobody found this before? I could not find a post.
Jan 11, 2008 at 3:07 PM
My guess (without checking) is that the "name" attribute for the forms authentication in web.config is the same for all blogs. This would make the login cookie for the user valid for all sites.

Look for the <forms> section in the root web.config, and set the "name" attribute to something different for each blog installation.
Jan 11, 2008 at 4:54 PM
Problem solved. Thanks! ^_^
Jan 21, 2008 at 10:41 PM
I'm setting up a multiple blog situation, and I have a similar question. I'm having the same problem, but since I want the software to be dynamic (not have to modify the web.config to add a new user/blog), I want to do this in code. I was thinking about checking to see if the currently logged in user is "authorized" (using my own code) as an admin on the blog they're currently viewing (maybe something when the request begins to check). In this way, I can just let the request through if they're authorized, but log them out if they're not authorized for the blog they're trying to view.

Does that make sense? If so, where would I put this check/force logout code? I was thinking about either the URL re-writer or the global.asax, but I don't want to bloat either of those items and they don't seem like quite the right spot. Any thoughts from anybody?