Running multiple EPiServer sites on different ports on the same host/domain

A setup where you have multiple sites running on different ports on the same host/domain can be handy for quick deployment of sites for testing/demoing/etc and does work fine for the most part.

However, there is an issue that you will likely run into with this kind of setup for ASP.NET sites using Forms authentication: the Forms login cookie will be shared between all of the sites.

The reason for this behavior is that Forms authentication by default uses cookies and that the cookie mechanism in HTTP can limit the scope of cookies by domain and/or path, but not by port.

As an example, taken from a local EPiServer CMS installation, the Forms login cookie may look something like this:
Set-Cookie: .EPiServerLogin=encryptedandsignedvaluehere; path=/; HttpOnly

Which in turn means that the client is supposed to send back the cookie for subsequent requests to the same host (regardless of port) for paths under “/”.

The preferred solution is to assign different domain names to the different sites, but if this is not practical a possible workaround for this particular problem is to assign different names for the actual login cookie for each site (the latter solution has the downside that the different login cookies will still be sent with requests to all of the sites, just without the normal interference, so if there is any kind of trust issues between the different sites this is not the way to go).

Changing the name of the login cookie is done by changing the name attribute of the configuration/system.web/authentication/forms element in web.config.

Please see http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx for further information on the Forms authentication configuration.