When you have users who log in to K2 from different providers, such as Windows users inside your network and external users who use Basic authentication with a username and password, configuring your realms may not prevent people from accessing both sites. This is By Design in the way K2 sites are configured, but you can update the web.config file to limit users to only the realms you specify.
This behavior only occurs if the hostname/base URL is the same for your designer and runtime sites, such as https://k2.denallix.com/designer and https://k2.denallix.com/runtime. If they are not the same, the cookie is not shared.
You must edit the web.config files for the designer and runtime sites, and remove the path="/" setting of the cookieHandler key. You can find these files at <install drive>:\Program Files or Program Files (x86)\K2\K2 smartforms Designer and K2 smartforms Runtime.
By default, the sites are configured as follows:
Removing the path attribute forces the sites not to share cookies in the same path (by hostname), and your resulting cookieHandler key is as follows: