We're using ASP.NET and IIS 6.0. I realise that the definitions of applications, websites and virtual directories are ill-defined in IIS 6, and changed a lot in IIS 7. However, I'm stuck with IIS 6.0 for now.

We have a single web site defined in IIS, and a number of separate sub-sites in Virtual Directories.

The scheme looks like this:-

http://site.example.com/site1
http://site.example.com/site2
.. etc ..

site1, site2, ... are virtual directories in IIS 6.0, under the "Default Web Site".

I need to use ASP.NET sessions and forms authentication in most of these sites, and I don't want them to share authentication data or session information at all.

Both the mechanisms currently depend on cookies. However, the cookies created by default use the same name, and have a path of "/" in the browser, meaning the sites' cookies will clash with each other.

Without changing the default name for each cookie, how can I enforce separation between my sub-sites? Do I need to change the virtual directories for IIS 6 "Applications"? Or is there some way in code to enforce a more limited scope for the cookies?

Thanks in advance.

For Forms Authentication, you can define the FormsCookiePath property to reflect the virtual directory of each sub site.

http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.formscookiepath.aspx

For Session State, I haven't seen anything that can define a path, but you can define different cookie names away from the standard cookieName="ASP.NET_SessionId" value. That way each sub site is looking out for different session cookies.

http://msdn.microsoft.com/en-us/library/h6bb9cz9(v=VS.100).aspx