sitecoremultiple-sites

Multiple websites and making "cross-site" requests illegal


I have two IIS sites pointing to diffent physical folders. This is to be able to differentiate the web.config and the files and assemblies used for the sites Database is set to point to the same instance for both sites In web.config are configured to start from different parts The stucture is like this:

So far so good.

Now, the problem is that i'm able to retrieve content not belonging to the actual site by entering its complete path. Ie.

http://www.default.com/sitecore/content/home/intranet.aspx <-- this shouldn't be allowed, since www.default.com is configured with /sitecore/content/home/default as root.

Is there any built-in mechanism to dissallow this or do i have to subclass the itemresolver to make "cross sites"-requests illegal.


Solution

  • This is something to do with how Sitecore resolves items, I have found 3 different URL's for each item. For example say I have the following structure:

    -sitecore
      -content
        -home
          -page1
    

    I can access page1 either through:

    However knowing this won't help solve your problem. The best solution I can suggest is to use security. However if both site need anonymous access the question is how do you control this?

    I imagine that since you have two separate web.config's you also have to separate Sitecore configuration sections. So what we can do is create a pipeline process that runs as part of the http request begin pipeline (in the web.config as /configuration/sitecore/pipelines/httpRequestBegin) creating one for each site and updating the relevant web.config. When this process is called it could create a virtual user who belongs to a group which restricts access to the site the user requested.

    There is some code here that shows you how to create a virtual user:

    And here on pipelines:

    Hope this helps :-)