Creating tenants with a prefix only, causes security issues


The following scenario describes a case when a tenants are being created with a URL prefix only

Default tenant
  • url: http://localhost
  • user: admin
  • url: http://localhost/tenant1
  • user: administrator
When logged in as a admin user within a default tenant it is possible to access a tenant1 as a administrator without passing any credentials for tenant1.


sebastienros wrote Dec 11, 2012 at 9:20 PM

When the cookie is generated, just assign the Path property with the prefix.

sebastienros wrote Dec 11, 2012 at 9:25 PM

FormsAuthenticationService line 49

sebastienros wrote Jun 21, 2013 at 7:55 PM

Fixed in changeset b44c18e31f81

sfmskywalker wrote Mar 28, 2014 at 1:28 AM

Fixed in changeset a87a3327effc9fddbd36707f2e7cb505ca5b4ead