Using VS2010 I created an MVC4 web application that uses simplemembership for forms authentication. On the log in form is a Remember Me check box which when ticked persists the authentication cookie (Standard AccountController code from Internet Application Project Template).
So at this stage I have remembered my authentication when logging in to this first application.
Now I have created a second application in VS2010, again an Internet application template with SimpleMembership. When I run this second application I am authenticated straight away, from the log in credentials entered in the first application. In my view Request.IsAuthenticated = true and User.Identity.Name is the username from the other app.
This seems really insecure. Does this have anything to do with:
- The fact I am using the Dev webserver that comes with VS2010.
- Using IE and session is being shared.
- or is it just a major security hole?