How could ASP.NET forms authentication session leak into a different site?

We’re dealing with a vulnerability where a forms authentication from one site can be used within a separate site. I can’t figure out how is IIS or ASP.NET allowing this to occur

Steps:

Login to site1.domain.com as user “a… Continue reading How could ASP.NET forms authentication session leak into a different site?