IE 8 Release version is sharing session cookies across browsers

Hi,

We've got a big problem with IE 8.

With IE 7 you could launch different browser sessions and login to a web
site with different ID's. Each browser window would have it's own session
cookie. Each tab would share the session cookie - which is exactly how it
should intuitively work.

If you do this with IE 8 then there seems to be only ever one session. No
matter how many browsers you open you get the same session and so you can
login as only one user at a time.

This is a problem for us with our own application, but it is also a problem
with all web sites and we have reproduced it with Ebay for example.

I haven't been able to find any settings in the UI to disable this.

Best regards

Steve

Steve H wrote:

> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

If this is something you can reliably reproduce then maybe you should
tell Microsoft about it directly.

Comment: "Support for Internet Explorer 8 is available at no charge
until 31st December 2009."
MS page: http://preview.tinyurl.com/c4roap

On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

I haven't been able to figure out how to do so either. This is a huge
problem, and it used to exist back in IE4 as well! It made such good
sense to have the session shared between tabs and new windows
generated from a running IE instance, with new IE processes getting a
new session. Argh, this is a huge setback in functionality.

On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

Steve-

Looks like MS broke this expectation in IE8 (vs how it worked in
IE5,6,7) when they implemented the InPrivate Browsing functionality.
From what I gather, you should get a similar behaviour as you had come
to rely on when you launch an IE8 window with InPrivate Browsing
(Tools > InPrivate Browsing). You can also create a shortcut to
always launch in this mode by passing in the -private option to
iexplore.exe.

On Mar 25, 3:47*pm, Ace <jerah...@gmail.com> wrote:
> On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
>
>
>
>
>
> > Hi,
>
> > We've got a big problem with IE 8.
>
> > With IE 7 you could launch different browser sessions and login to a web
> > site with different ID's. Each browser window would have it's own session
> > cookie. Each tab would share the session cookie - which is exactly how it
> > should intuitively work.
>
> > If you do this with IE 8 then there seems to be only ever one session. No
> > matter how many browsers you open you get the same session and so you can
> > login as only one user at a time.
>
> > This is a problem for us with our own application, but it is also a problem
> > with all web sites and we have reproduced it with Ebay for example.
>
> > I haven't been able to find any settings in the UI to disable this.
>
> > Best regards
>
> > Steve
>
> I haven't been able to figure out how to do so either. *This is a huge
> problem, and it used to exist back in IE4 as well! *It made such good
> sense to have the session shared between tabs and new windows
> generated from a running IE instance, with new IE processes getting a
> new session. *Argh, this is a huge setback in functionality.- Hide quoted text -
>
> - Show quoted text -

I think that even sharing a session between tabs is a big problem and
it doesn't make sense to me, not to mention that it causes a major
security problem.

For example you can have two tabs, one is secure and one is unsecure,
then close the secure one, and you won't even know that you are still
logged in (clicking a bookmark on the desktop will autmatically log
you in... or somebody else in...)

Another example is XS-Request-Forgery - this session between tabs
thing makes it much easier for the attackers (you just need to open
the email and the secure site in the same browser and click on a link
in the mail...)

Now with IE8 it's real HELL

I think I'm gonna contact microsoft about this, not to mention the
other bugs in IE8 (such as ignoring the no-cache headers which is
another security problem)

Whoa! BIG problem. I am able to reproduce this. And it's true even if,
before you open the new window, you close the original browser that started
the session! GIANT security problem here. There are a lot of great things
about IE8, but man... there are some really horrible things too!

"Steve H" wrote:

> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

FYI: I just also confirmed it with Bank of America. Log in, copy the URL
from the welcome page, close the browser, open a new browser, paste the URL,
poof, you're logged in. The URL from the BofA welcome page is standard, so
you could just try popping that into web browsers out in the world (internet
cafes, etc.) and eventually you'll be logged into someone's bank account.
This is unbelievably bad.

"Steve H" wrote:

> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

Please state your full Windows version (e.g., WinXP SP3; Vista SP1), Steve.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Steve H wrote:
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a
> problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.

This behavior is by-design for IE8. We elected to make session
handling more consistent. Previously, some entry points would create
a new session (e.g. clicking a desktop icon) while others did not
(e.g. File > New Window).

There's a little test page that makes this easy to demo here:
http://www.enhanceie.com/test/sessions/

Now in IE8, new sessions are created explicitly, by clicking File >
New Session, or by starting iexplore.exe with the -nomerge command
line parameter.

I'll be putting up a post on this topic on the IEBlog (blogs.msdn.com/
ie) shortly.

Thanks,

Eric Lawrence
Security Program Manager
Internet Explorer

On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

<<not to mention the other bugs in IE8 (such as ignoring the no-cache
headers which is another security problem) >>

IE8 does not "ignore" no-cache headers. As specified in RFC2616,
"Cache-Control: no-cache" is simply a directive to the client that it
should not reuse the cached-entry without revalidation. Internet
Explorer supports this directive. (Notably, this directive is
intended to have no bearing whatsoever on whether or not the browser
stores the content in its cache).

To learn more about caching, please see www.enhanceie.com/redir/?id=httpperf

Eric Lawrence
Program Manager
Internet Explorer Security

On Mar 25, 1:50*pm, Cesee <cesar.mar...@gmail.com> wrote:
> On Mar 25, 3:47*pm, Ace <jerah...@gmail.com> wrote:
>
>
>
>
>
> > On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
>
> > > Hi,
>
> > > We've got a big problem with IE 8.
>
> > > With IE 7 you could launch different browser sessions and login to a web
> > > site with different ID's. Each browser window would have it's own session
> > > cookie. Each tab would share the session cookie - which is exactly how it
> > > should intuitively work.
>
> > > If you do this with IE 8 then there seems to be only ever one session.. No
> > > matter how many browsers you open you get the same session and so youcan
> > > login as only one user at a time.
>
> > > This is a problem for us with our own application, but it is also a problem
> > > with all web sites and we have reproduced it with Ebay for example.
>
> > > I haven't been able to find any settings in the UI to disable this.
>
> > > Best regards
>
> > > Steve
>
> > I haven't been able to figure out how to do so either. *This is a huge
> > problem, and it used to exist back in IE4 as well! *It made such good
> > sense to have the session shared between tabs and new windows
> > generated from a running IE instance, with new IE processes getting a
> > new session. *Argh, this is a huge setback in functionality.- Hide quoted text -
>
> > - Show quoted text -
>
> I think that even sharing a session between tabs is a big problem and
> it doesn't make sense to me, not to mention that it causes a major
> security problem.
>
> For example you can have two tabs, one is secure and one is unsecure,
> then close the secure one, and you won't even know that you are still
> logged in (clicking a bookmark on the desktop will autmatically log
> you in... or somebody else in...)
>
> Another example is XS-Request-Forgery - this session between tabs
> thing makes it much easier for the attackers (you just need to open
> the email and the secure site in the same browser and click on a link
> in the mail...)
>
> Now with IE8 it's real HELL
>
> I think I'm gonna contact microsoft about this, not to mention the
> other bugs in IE8 (such as ignoring the no-cache headers which is
> another security problem)- Hide quoted text -
>
> - Show quoted text -