I have what seems like a common problem with SaaS applications, but have not seen this issue anywhere else.
I am using ASP.NET MVC with forms authentication. I have implemented a custom membership provider for processing logic, but have one problem (maybe a problem in my mental picture of the system).
As in many SaaS applications, clients create accounts and use the application in such a way that they look like the only ones (they only see their elements, users, etc.). In reality, there are common controllers and views that present data depending on the client represented in the URL. When you call something like MemberhipProvider.ValidateUser, I have access to the user's user membership in the User object - I don't have a request context to compare if this is a data request for the same client as the user.
As an example,
One ABC company leaves for abc.mysite.com
Another company called XYZ goes to xyz.mysite.com
When user ABC calls
http://abc.mysite.com/product/edit/12
[Authorize] Edit ProductController, , .
ABC
http://xyz.mysite.com/product/edit/12
. ValidateUser MembershipProvider , . , ABC, , XYZ .
?