Introduced website security accessor to ensure members aren't shared between sessions.

src/Umbraco.Core/Security/HybridBackofficeSecurityAccessor.cs

@@ -1,15 +1,12 @@
 using Umbraco.Core.Cache;
-using Umbraco.Core.Security;
 using Umbraco.Web;
-using Umbraco.Web.Security;
 
-namespace Umbraco.Core
+namespace Umbraco.Core.Security
 {
-
     public class HybridBackofficeSecurityAccessor : HybridAccessorBase<IBackOfficeSecurity>, IBackOfficeSecurityAccessor
     {
         /// <summary>
-        /// Initializes a new instance of the <see cref="HybridUmbracoContextAccessor"/> class.
+        /// Initializes a new instance of the <see cref="HybridBackofficeSecurityAccessor"/> class.
         /// </summary>
         public HybridBackofficeSecurityAccessor(IRequestCache requestCache)
             : base(requestCache)
@@ -19,7 +16,7 @@ namespace Umbraco.Core
         protected override string ItemKey => "Umbraco.Web.HybridBackofficeSecurityAccessor";
 
         /// <summary>
-        /// Gets or sets the <see cref="BackOfficeSecurity"/> object.
+        /// Gets or sets the <see cref="IBackOfficeSecurity"/> object.
         /// </summary>
         public IBackOfficeSecurity BackOfficeSecurity
         {

src/Umbraco.Core/Security/HybridUmbracoWebsiteSecurityAccessor.cs

@@ -0,0 +1,28 @@
+using Umbraco.Core.Cache;
+using Umbraco.Web;
+
+namespace Umbraco.Core.Security
+{
+
+    public class HybridUmbracoWebsiteSecurityAccessor : HybridAccessorBase<IUmbracoWebsiteSecurity>, IUmbracoWebsiteSecurityAccessor
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="HybridUmbracoWebsiteSecurityAccessor"/> class.
+        /// </summary>
+        public HybridUmbracoWebsiteSecurityAccessor(IRequestCache requestCache)
+            : base(requestCache)
+        { }
+
+        /// <inheritdoc />
+        protected override string ItemKey => "Umbraco.Web.HybridUmbracoWebsiteSecurityAccessor";
+
+        /// <summary>
+        /// Gets or sets the <see cref="IUmbracoWebsiteSecurity"/> object.
+        /// </summary>
+        public IUmbracoWebsiteSecurity WebsiteSecurity
+        {
+            get => Value;
+            set => Value = value;
+        }
+    }
+}

src/Umbraco.Core/Security/IUmbracoWebsiteSecurityAccessor.cs

@@ -0,0 +1,7 @@
+namespace Umbraco.Core.Security
+{
+    public interface IUmbracoWebsiteSecurityAccessor
+    {
+        IUmbracoWebsiteSecurity WebsiteSecurity { get; set; }
+    }
+}

src/Umbraco.Web.Common/Runtime/AspNetCoreComposer.cs

@@ -74,9 +74,12 @@ namespace Umbraco.Web.Common.Runtime
 
             // register the umbraco context factory
             composition.Services.AddUnique<IUmbracoContextFactory, UmbracoContextFactory>();
+
             composition.Services.AddUnique<IBackOfficeSecurityFactory, BackOfficeSecurityFactory>();
             composition.Services.AddUnique<IBackOfficeSecurityAccessor, HybridBackofficeSecurityAccessor>();
 
+            composition.Services.AddUnique<IUmbracoWebsiteSecurityAccessor, HybridUmbracoWebsiteSecurityAccessor>();
+
             //register the install components
             composition.ComposeInstaller();
 

src/Umbraco.Web.Website/Controllers/UmbLoginController.cs

@@ -14,14 +14,14 @@ namespace Umbraco.Web.Website.Controllers
 {
     public class UmbLoginController : SurfaceController
     {
-        private readonly IUmbracoWebsiteSecurity _websiteSecurity;
+        private readonly IUmbracoWebsiteSecurityAccessor _websiteSecurityAccessor;
 
         public UmbLoginController(IUmbracoContextAccessor umbracoContextAccessor, IUmbracoDatabaseFactory databaseFactory,
             ServiceContext services, AppCaches appCaches, IProfilingLogger profilingLogger, IPublishedUrlProvider publishedUrlProvider,
-            IUmbracoWebsiteSecurity websiteSecurity)
+            IUmbracoWebsiteSecurityAccessor websiteSecurityAccessor)
             : base(umbracoContextAccessor, databaseFactory, services, appCaches, profilingLogger, publishedUrlProvider)
         {
-            _websiteSecurity = websiteSecurity;
+            _websiteSecurityAccessor = websiteSecurityAccessor;
         }
 
         [HttpPost]
@@ -34,7 +34,7 @@ namespace Umbraco.Web.Website.Controllers
                 return CurrentUmbracoPage();
             }
 
-            if (await _websiteSecurity.LoginAsync(model.Username, model.Password) == false)
+            if (await _websiteSecurityAccessor.WebsiteSecurity.LoginAsync(model.Username, model.Password) == false)
             {
                 // Don't add a field level error, just model level.
                 ModelState.AddModelError("loginModel", "Invalid username or password");

src/Umbraco.Web.Website/Controllers/UmbLoginStatusController.cs

@@ -15,14 +15,14 @@ namespace Umbraco.Web.Website.Controllers
     [UmbracoMemberAuthorize]
     public class UmbLoginStatusController : SurfaceController
     {
-        private readonly IUmbracoWebsiteSecurity _websiteSecurity;
+        private readonly IUmbracoWebsiteSecurityAccessor _websiteSecurityAccessor;
 
         public UmbLoginStatusController(IUmbracoContextAccessor umbracoContextAccessor,
             IUmbracoDatabaseFactory databaseFactory, ServiceContext services, AppCaches appCaches,
-            IProfilingLogger profilingLogger, IPublishedUrlProvider publishedUrlProvider, IUmbracoWebsiteSecurity websiteSecurity)
+            IProfilingLogger profilingLogger, IPublishedUrlProvider publishedUrlProvider, IUmbracoWebsiteSecurityAccessor websiteSecurityAccessor)
             : base(umbracoContextAccessor, databaseFactory, services, appCaches, profilingLogger, publishedUrlProvider)
         {
-            _websiteSecurity = websiteSecurity;
+            _websiteSecurityAccessor = websiteSecurityAccessor;
         }
 
         [HttpPost]
@@ -35,9 +35,9 @@ namespace Umbraco.Web.Website.Controllers
                 return CurrentUmbracoPage();
             }
 
-            if (_websiteSecurity.IsLoggedIn())
+            if (_websiteSecurityAccessor.WebsiteSecurity.IsLoggedIn())
             {
-                await _websiteSecurity.LogOutAsync();
+                await _websiteSecurityAccessor.WebsiteSecurity.LogOutAsync();
             }
 
             TempData["LogoutSuccess"] = true;

src/Umbraco.Web.Website/Controllers/UmbProfileController.cs

@@ -16,14 +16,14 @@ namespace Umbraco.Web.Website.Controllers
     [UmbracoMemberAuthorize]
     public class UmbProfileController : SurfaceController
     {
-        private readonly IUmbracoWebsiteSecurity _websiteSecurity;
+        private readonly IUmbracoWebsiteSecurityAccessor _websiteSecurityAccessor;
 
         public UmbProfileController(IUmbracoContextAccessor umbracoContextAccessor, IUmbracoDatabaseFactory databaseFactory,
             ServiceContext services, AppCaches appCaches, IProfilingLogger profilingLogger,
-            IPublishedUrlProvider publishedUrlProvider, IUmbracoWebsiteSecurity websiteSecurity)
+            IPublishedUrlProvider publishedUrlProvider, IUmbracoWebsiteSecurityAccessor websiteSecurityAccessor)
             : base(umbracoContextAccessor, databaseFactory, services, appCaches, profilingLogger, publishedUrlProvider)
         {
-            _websiteSecurity = websiteSecurity;
+            _websiteSecurityAccessor = websiteSecurityAccessor;
         }
 
         [HttpPost]
@@ -36,7 +36,7 @@ namespace Umbraco.Web.Website.Controllers
                 return CurrentUmbracoPage();
             }
 
-            var result = await _websiteSecurity.UpdateMemberProfileAsync(model);
+            var result = await _websiteSecurityAccessor.WebsiteSecurity.UpdateMemberProfileAsync(model);
             switch (result.Status)
             {
                 case UpdateMemberProfileStatus.Success:

src/Umbraco.Web.Website/Controllers/UmbRegisterController.cs

@@ -15,14 +15,14 @@ namespace Umbraco.Web.Website.Controllers
 {
     public class UmbRegisterController : SurfaceController
     {
-        private readonly IUmbracoWebsiteSecurity _websiteSecurity;
+        private readonly IUmbracoWebsiteSecurityAccessor _websiteSecurityAccessor;
 
         public UmbRegisterController(IUmbracoContextAccessor umbracoContextAccessor,
             IUmbracoDatabaseFactory databaseFactory, ServiceContext services, AppCaches appCaches,
-            IProfilingLogger profilingLogger, IPublishedUrlProvider publishedUrlProvider, IUmbracoWebsiteSecurity websiteSecurity)
+            IProfilingLogger profilingLogger, IPublishedUrlProvider publishedUrlProvider, IUmbracoWebsiteSecurityAccessor websiteSecurityAccessor)
             : base(umbracoContextAccessor, databaseFactory, services, appCaches, profilingLogger, publishedUrlProvider)
         {
-            _websiteSecurity = websiteSecurity;
+            _websiteSecurityAccessor = websiteSecurityAccessor;
         }
 
         [HttpPost]
@@ -42,7 +42,7 @@ namespace Umbraco.Web.Website.Controllers
                 model.Name = model.Email;
             }
 
-            var result = await _websiteSecurity.RegisterMemberAsync(model, model.LoginOnSuccess);
+            var result = await _websiteSecurityAccessor.WebsiteSecurity.RegisterMemberAsync(model, model.LoginOnSuccess);
 
             switch (result)
             {

src/Umbraco.Web.Website/Extensions/UmbracoWebstiteServiceCollectionExtensions.cs

@@ -23,9 +23,6 @@ namespace Umbraco.Extensions
 
             //TODO figure out if we need more to work on load balanced setups
             services.AddDataProtection();
-
-            // Website security
-            services.AddSingleton<IUmbracoWebsiteSecurity, UmbracoWebsiteSecurity>();
         }
     }
 }