I have set up a few BlogEngine blogs for a few of my friends.
As I wanted these under just one domain I have each BlogEngine installation configured as a virtual directory in IIS i.e.
My friend noticed today that when logging into his own blog and navigating to mine he appeared to be logged in and could access the administration menu.
I can confirm this is the case and is most likely due to the authentication cookie being set for the entire domain.
Is there a preferred way of sorting this in BlogEngine? I know I can set the path setting for forms authentication in web.config and this would set the cookie url appropriately. However, this would allow any person who has access to web.config to change
this back to root and have administrator access to all the blogs on the domain.