Known Issue: Users can Access K2 Realms they are not Configured to Use
KB002439
PRODUCT
Issue
When you have users who log in to K2 from different providers, such as Windows users inside your network and external users who use Basic authentication with a username and password, configuring your realms may not prevent people from accessing both sites. This is By Design in the way K2 sites are configured, but you can update the web.config file to limit users to only the realms you specify.
Workaround
You must edit the web.config files for the designer and runtime sites, and remove the path="/" setting of the cookieHandler key. You can find these files at <install drive>:Program Files or Program Files (x86)K2K2 smartforms Designer and K2 smartforms Runtime.
By default, the sites are configured as follows:
Removing the path attribute forces the sites not to share cookies in the same path (by hostname), and your resulting cookieHandler key is as follows: