Session Variables Persist Across Window Close on Mac IE 4.5 and Greater

I've noticed that session variables will persist on Mac IE even after all
browser windows have been closed. One must quit the program to clear the
session variables. This presents a security risk for my session variable
based security scheme.

Basically, the risk is that a user will login to my site, close the window
when done and allow someone else to come up to the machine, go back to my
site and be logged into the previous user's account.

Anyone know how to make session variables disappear when a window closes?
Any other ideas? Am I going to have to redesign my whole security scheme?

Any suggestions are appreciated.

Dave

re: Session Variables Persist Across Window Close on Mac IE 4.5 and Greater

Looks more of an issue with the IE version you are using on your machine.
Check support.microsoft.com to see if such an issue is already recognized,
and remedy if any.

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com


"Pack Fan" <pack@fan.com> wrote in message
news:vhoo4tq1anga5e@corp.supernews.com...[color=blue]
> I've noticed that session variables will persist on Mac IE even after all
> browser windows have been closed. One must quit the program to clear the
> session variables. This presents a security risk for my session variable
> based security scheme.
>
> Basically, the risk is that a user will login to my site, close the window
> when done and allow someone else to come up to the machine, go back to my
> site and be logged into the previous user's account.
>
> Anyone know how to make session variables disappear when a window closes?
> Any other ideas? Am I going to have to redesign my whole security scheme?
>
> Any suggestions are appreciated.
>
> Dave
>
>[/color]

re: Session Variables Persist Across Window Close on Mac IE 4.5 and Greater

I've been unable to find anything regarding this on support.microsoft.com. I
can't find anything of substance on IE for the Mac.

"Manohar Kamath [MVP]" <mkamath@TAKETHISOUTkamath.com> wrote in message
news:ewZPxK9TDHA.2204@TK2MSFTNGP12.phx.gbl...[color=blue]
> Looks more of an issue with the IE version you are using on your machine.
> Check support.microsoft.com to see if such an issue is already recognized,
> and remedy if any.
>
> --
> Manohar Kamath
> Editor, .netBooks
> www.dotnetbooks.com
>
>
> "Pack Fan" <pack@fan.com> wrote in message
> news:vhoo4tq1anga5e@corp.supernews.com...[color=green]
> > I've noticed that session variables will persist on Mac IE even after[/color][/color]
all[color=blue][color=green]
> > browser windows have been closed. One must quit the program to clear the
> > session variables. This presents a security risk for my session variable
> > based security scheme.
> >
> > Basically, the risk is that a user will login to my site, close the[/color][/color]
window[color=blue][color=green]
> > when done and allow someone else to come up to the machine, go back to[/color][/color]
my[color=blue][color=green]
> > site and be logged into the previous user's account.
> >
> > Anyone know how to make session variables disappear when a window[/color][/color]
closes?[color=blue][color=green]
> > Any other ideas? Am I going to have to redesign my whole security[/color][/color]
scheme?[color=blue][color=green]
> >
> > Any suggestions are appreciated.
> >
> > Dave
> >
> >[/color]
>
>[/color]

re: Session Variables Persist Across Window Close on Mac IE 4.5 and Greater

If its an ASP site then use Global.asa to redirect to the login page if a
particluar session variable is not set -- once logged in then set it.
Of course this is all based on the understanding that session is not
persisted across windows on the same machine. Just tested it on W2K and the
session is not 'shared' across two windows.

Oh well - a warning should suffice to Mac users that multiple windows on the
same machine will have issues.

Chris.


"Pack Fan" <pack@fan.com> wrote in message
news:vhp57p4ap4cpc1@corp.supernews.com...[color=blue]
> I'm not implementing session variables myself.
>
> I know you're right on the session vars being private to HTTP sessions on
> Windows. But it just isn't the case with IE on the Mac. I can open one
> window, login and then open a second which will also be logged in. Log out
> of the first one, refresh second, it's logged out, too.
>
> I'd call Session.Abandon on login, but it won't stop people from skipping
> the login page and going straight to "protected" pages.
>
> Don't know what to do.
>
> "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...[color=green]
> > Session variables are private to a HTTP session - a new browser window[/color]
> will[color=green]
> > *not* get access to the previous session variables since the cookie that[/color]
> is[color=green]
> > used to maintain session state is cleared when the browser window opens[/color]
> (may[color=green]
> > also be cleared when the window closes - not sure).
> >
> > Or perhaps you are implementing your own session state?
> >
> > Then again - Mac IE is useless anyway so perhaps you are right. Please
> > accept my apologies if this is the case. You could always call
> > 'Session.Abandon' on entering the login page to clear any previous[/color]
> sessions.[color=green]
> >
> > Chris.
> >
> > "Pack Fan" <pack@fan.com> wrote in message
> > news:vhoo4tq1anga5e@corp.supernews.com...[color=darkred]
> > > I've noticed that session variables will persist on Mac IE even after[/color][/color]
> all[color=green][color=darkred]
> > > browser windows have been closed. One must quit the program to clear[/color][/color][/color]
the[color=blue][color=green][color=darkred]
> > > session variables. This presents a security risk for my session[/color][/color][/color]
variable[color=blue][color=green][color=darkred]
> > > based security scheme.
> > >
> > > Basically, the risk is that a user will login to my site, close the[/color][/color]
> window[color=green][color=darkred]
> > > when done and allow someone else to come up to the machine, go back to[/color][/color]
> my[color=green][color=darkred]
> > > site and be logged into the previous user's account.
> > >
> > > Anyone know how to make session variables disappear when a window[/color][/color]
> closes?[color=green][color=darkred]
> > > Any other ideas? Am I going to have to redesign my whole security[/color][/color]
> scheme?[color=green][color=darkred]
> > >
> > > Any suggestions are appreciated.
> > >
> > > Dave
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

re: Session Variables Persist Across Window Close on Mac IE 4.5 and Greater

If they close all the IE windows and re-open IE are they still logged on?

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
mschupp@ielearning.com
http://www.ielearning.com
714.637.9480 x17


"Pack Fan" <pack@fan.com> wrote in message
news:vhp57p4ap4cpc1@corp.supernews.com...[color=blue]
> I'm not implementing session variables myself.
>
> I know you're right on the session vars being private to HTTP sessions on
> Windows. But it just isn't the case with IE on the Mac. I can open one
> window, login and then open a second which will also be logged in. Log out
> of the first one, refresh second, it's logged out, too.
>
> I'd call Session.Abandon on login, but it won't stop people from skipping
> the login page and going straight to "protected" pages.
>
> Don't know what to do.
>
> "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...[color=green]
> > Session variables are private to a HTTP session - a new browser window[/color]
> will[color=green]
> > *not* get access to the previous session variables since the cookie that[/color]
> is[color=green]
> > used to maintain session state is cleared when the browser window opens[/color]
> (may[color=green]
> > also be cleared when the window closes - not sure).
> >
> > Or perhaps you are implementing your own session state?
> >
> > Then again - Mac IE is useless anyway so perhaps you are right. Please
> > accept my apologies if this is the case. You could always call
> > 'Session.Abandon' on entering the login page to clear any previous[/color]
> sessions.[color=green]
> >
> > Chris.
> >
> > "Pack Fan" <pack@fan.com> wrote in message
> > news:vhoo4tq1anga5e@corp.supernews.com...[color=darkred]
> > > I've noticed that session variables will persist on Mac IE even after[/color][/color]
> all[color=green][color=darkred]
> > > browser windows have been closed. One must quit the program to clear[/color][/color][/color]
the[color=blue][color=green][color=darkred]
> > > session variables. This presents a security risk for my session[/color][/color][/color]
variable[color=blue][color=green][color=darkred]
> > > based security scheme.
> > >
> > > Basically, the risk is that a user will login to my site, close the[/color][/color]
> window[color=green][color=darkred]
> > > when done and allow someone else to come up to the machine, go back to[/color][/color]
> my[color=green][color=darkred]
> > > site and be logged into the previous user's account.
> > >
> > > Anyone know how to make session variables disappear when a window[/color][/color]
> closes?[color=green][color=darkred]
> > > Any other ideas? Am I going to have to redesign my whole security[/color][/color]
> scheme?[color=green][color=darkred]
> > >
> > > Any suggestions are appreciated.
> > >
> > > Dave
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

re: Session Variables Persist Across Window Close on Mac IE 4.5 and Greater

If you close all IE windows and re-open you'll still be logged in. You have
to either quit IE, explicitly log out on the site or let the session expire
to log out.

I assume there's no way to make session vars private to a single window on
Mac IE. At this point, all I can think to do is put up a warning.

"Mark Schupp" <mschupp@ielearning.com> wrote in message
news:u65KAhGUDHA.2008@TK2MSFTNGP11.phx.gbl...[color=blue]
> If they close all the IE windows and re-open IE are they still logged on?
>
> --
> Mark Schupp
> --
> Head of Development
> Integrity eLearning
> Online Learning Solutions Provider
> mschupp@ielearning.com
> http://www.ielearning.com
> 714.637.9480 x17
>
>
> "Pack Fan" <pack@fan.com> wrote in message
> news:vhp57p4ap4cpc1@corp.supernews.com...[color=green]
> > I'm not implementing session variables myself.
> >
> > I know you're right on the session vars being private to HTTP sessions[/color][/color]
on[color=blue][color=green]
> > Windows. But it just isn't the case with IE on the Mac. I can open one
> > window, login and then open a second which will also be logged in. Log[/color][/color]
out[color=blue][color=green]
> > of the first one, refresh second, it's logged out, too.
> >
> > I'd call Session.Abandon on login, but it won't stop people from[/color][/color]
skipping[color=blue][color=green]
> > the login page and going straight to "protected" pages.
> >
> > Don't know what to do.
> >
> > "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> > news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...[color=darkred]
> > > Session variables are private to a HTTP session - a new browser window[/color]
> > will[color=darkred]
> > > *not* get access to the previous session variables since the cookie[/color][/color][/color]
that[color=blue][color=green]
> > is[color=darkred]
> > > used to maintain session state is cleared when the browser window[/color][/color][/color]
opens[color=blue][color=green]
> > (may[color=darkred]
> > > also be cleared when the window closes - not sure).
> > >
> > > Or perhaps you are implementing your own session state?
> > >
> > > Then again - Mac IE is useless anyway so perhaps you are right. Please
> > > accept my apologies if this is the case. You could always call
> > > 'Session.Abandon' on entering the login page to clear any previous[/color]
> > sessions.[color=darkred]
> > >
> > > Chris.
> > >
> > > "Pack Fan" <pack@fan.com> wrote in message
> > > news:vhoo4tq1anga5e@corp.supernews.com...
> > > > I've noticed that session variables will persist on Mac IE even[/color][/color][/color]
after[color=blue][color=green]
> > all[color=darkred]
> > > > browser windows have been closed. One must quit the program to clear[/color][/color]
> the[color=green][color=darkred]
> > > > session variables. This presents a security risk for my session[/color][/color]
> variable[color=green][color=darkred]
> > > > based security scheme.
> > > >
> > > > Basically, the risk is that a user will login to my site, close the[/color]
> > window[color=darkred]
> > > > when done and allow someone else to come up to the machine, go back[/color][/color][/color]
to[color=blue][color=green]
> > my[color=darkred]
> > > > site and be logged into the previous user's account.
> > > >
> > > > Anyone know how to make session variables disappear when a window[/color]
> > closes?[color=darkred]
> > > > Any other ideas? Am I going to have to redesign my whole security[/color]
> > scheme?[color=darkred]
> > > >
> > > > Any suggestions are appreciated.
> > > >
> > > > Dave
> > > >
> > > >
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

re: Session Variables Persist Across Window Close on Mac IE 4.5 and Greater

How can you still have to "quit IE" if you have closed all of its windows?
[color=blue]
> I assume there's no way to make session vars private to a single window on
> Mac IE. At this point, all I can think to do is put up a warning.[/color]
Some people would call this a feature rather than a bug (having new windows
share the same session).
I am not familiar with IE for Mac but you might check for any settings in IE
named like "browse in new process".

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
mschupp@ielearning.com
http://www.ielearning.com
714.637.9480 x17


"Pack Fan" <pack@fan.com> wrote in message
news:vhrr18nddo4986@corp.supernews.com...[color=blue]
> If you close all IE windows and re-open you'll still be logged in. You[/color]
have[color=blue]
> to either quit IE, explicitly log out on the site or let the session[/color]
expire[color=blue]
> to log out.
>
> I assume there's no way to make session vars private to a single window on
> Mac IE. At this point, all I can think to do is put up a warning.
>
> "Mark Schupp" <mschupp@ielearning.com> wrote in message
> news:u65KAhGUDHA.2008@TK2MSFTNGP11.phx.gbl...[color=green]
> > If they close all the IE windows and re-open IE are they still logged[/color][/color]
on?[color=blue][color=green]
> >
> > --
> > Mark Schupp
> > --
> > Head of Development
> > Integrity eLearning
> > Online Learning Solutions Provider
> > mschupp@ielearning.com
> > http://www.ielearning.com
> > 714.637.9480 x17
> >
> >
> > "Pack Fan" <pack@fan.com> wrote in message
> > news:vhp57p4ap4cpc1@corp.supernews.com...[color=darkred]
> > > I'm not implementing session variables myself.
> > >
> > > I know you're right on the session vars being private to HTTP sessions[/color][/color]
> on[color=green][color=darkred]
> > > Windows. But it just isn't the case with IE on the Mac. I can open one
> > > window, login and then open a second which will also be logged in. Log[/color][/color]
> out[color=green][color=darkred]
> > > of the first one, refresh second, it's logged out, too.
> > >
> > > I'd call Session.Abandon on login, but it won't stop people from[/color][/color]
> skipping[color=green][color=darkred]
> > > the login page and going straight to "protected" pages.
> > >
> > > Don't know what to do.
> > >
> > > "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> > > news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...
> > > > Session variables are private to a HTTP session - a new browser[/color][/color][/color]
window[color=blue][color=green][color=darkred]
> > > will
> > > > *not* get access to the previous session variables since the cookie[/color][/color]
> that[color=green][color=darkred]
> > > is
> > > > used to maintain session state is cleared when the browser window[/color][/color]
> opens[color=green][color=darkred]
> > > (may
> > > > also be cleared when the window closes - not sure).
> > > >
> > > > Or perhaps you are implementing your own session state?
> > > >
> > > > Then again - Mac IE is useless anyway so perhaps you are right.[/color][/color][/color]
Please[color=blue][color=green][color=darkred]
> > > > accept my apologies if this is the case. You could always call
> > > > 'Session.Abandon' on entering the login page to clear any previous
> > > sessions.
> > > >
> > > > Chris.
> > > >
> > > > "Pack Fan" <pack@fan.com> wrote in message
> > > > news:vhoo4tq1anga5e@corp.supernews.com...
> > > > > I've noticed that session variables will persist on Mac IE even[/color][/color]
> after[color=green][color=darkred]
> > > all
> > > > > browser windows have been closed. One must quit the program to[/color][/color][/color]
clear[color=blue][color=green]
> > the[color=darkred]
> > > > > session variables. This presents a security risk for my session[/color]
> > variable[color=darkred]
> > > > > based security scheme.
> > > > >
> > > > > Basically, the risk is that a user will login to my site, close[/color][/color][/color]
the[color=blue][color=green][color=darkred]
> > > window
> > > > > when done and allow someone else to come up to the machine, go[/color][/color][/color]
back[color=blue]
> to[color=green][color=darkred]
> > > my
> > > > > site and be logged into the previous user's account.
> > > > >
> > > > > Anyone know how to make session variables disappear when a window
> > > closes?
> > > > > Any other ideas? Am I going to have to redesign my whole security
> > > scheme?
> > > > >
> > > > > Any suggestions are appreciated.
> > > > >
> > > > > Dave
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

re: Session Variables Persist Across Window Close on Mac IE 4.5 and Greater

You haven't used a Mac, have you? :) It's considered very bad form, on the
Mac, to write an app that quits by closing a window. Since the menu bar
isn't tied to a window it's still there when you close a window. All windows
closed? Just go select file:new to open a new one.

"Mark Schupp" <mschupp@ielearning.com> wrote in message
news:eVr3o5SUDHA.1588@TK2MSFTNGP11.phx.gbl...[color=blue]
> How can you still have to "quit IE" if you have closed all of its windows?
>[color=green]
> > I assume there's no way to make session vars private to a single window[/color][/color]
on[color=blue][color=green]
> > Mac IE. At this point, all I can think to do is put up a warning.[/color]
> Some people would call this a feature rather than a bug (having new[/color]
windows[color=blue]
> share the same session).
> I am not familiar with IE for Mac but you might check for any settings in[/color]
IE[color=blue]
> named like "browse in new process".
>
> --
> Mark Schupp
> --
> Head of Development
> Integrity eLearning
> Online Learning Solutions Provider
> mschupp@ielearning.com
> http://www.ielearning.com
> 714.637.9480 x17
>
>
> "Pack Fan" <pack@fan.com> wrote in message
> news:vhrr18nddo4986@corp.supernews.com...[color=green]
> > If you close all IE windows and re-open you'll still be logged in. You[/color]
> have[color=green]
> > to either quit IE, explicitly log out on the site or let the session[/color]
> expire[color=green]
> > to log out.
> >
> > I assume there's no way to make session vars private to a single window[/color][/color]
on[color=blue][color=green]
> > Mac IE. At this point, all I can think to do is put up a warning.
> >
> > "Mark Schupp" <mschupp@ielearning.com> wrote in message
> > news:u65KAhGUDHA.2008@TK2MSFTNGP11.phx.gbl...[color=darkred]
> > > If they close all the IE windows and re-open IE are they still logged[/color][/color]
> on?[color=green][color=darkred]
> > >
> > > --
> > > Mark Schupp
> > > --
> > > Head of Development
> > > Integrity eLearning
> > > Online Learning Solutions Provider
> > > mschupp@ielearning.com
> > > http://www.ielearning.com
> > > 714.637.9480 x17
> > >
> > >
> > > "Pack Fan" <pack@fan.com> wrote in message
> > > news:vhp57p4ap4cpc1@corp.supernews.com...
> > > > I'm not implementing session variables myself.
> > > >
> > > > I know you're right on the session vars being private to HTTP[/color][/color][/color]
sessions[color=blue][color=green]
> > on[color=darkred]
> > > > Windows. But it just isn't the case with IE on the Mac. I can open[/color][/color][/color]
one[color=blue][color=green][color=darkred]
> > > > window, login and then open a second which will also be logged in.[/color][/color][/color]
Log[color=blue][color=green]
> > out[color=darkred]
> > > > of the first one, refresh second, it's logged out, too.
> > > >
> > > > I'd call Session.Abandon on login, but it won't stop people from[/color]
> > skipping[color=darkred]
> > > > the login page and going straight to "protected" pages.
> > > >
> > > > Don't know what to do.
> > > >
> > > > "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> > > > news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...
> > > > > Session variables are private to a HTTP session - a new browser[/color][/color]
> window[color=green][color=darkred]
> > > > will
> > > > > *not* get access to the previous session variables since the[/color][/color][/color]
cookie[color=blue][color=green]
> > that[color=darkred]
> > > > is
> > > > > used to maintain session state is cleared when the browser window[/color]
> > opens[color=darkred]
> > > > (may
> > > > > also be cleared when the window closes - not sure).
> > > > >
> > > > > Or perhaps you are implementing your own session state?
> > > > >
> > > > > Then again - Mac IE is useless anyway so perhaps you are right.[/color][/color]
> Please[color=green][color=darkred]
> > > > > accept my apologies if this is the case. You could always call
> > > > > 'Session.Abandon' on entering the login page to clear any previous
> > > > sessions.
> > > > >
> > > > > Chris.
> > > > >
> > > > > "Pack Fan" <pack@fan.com> wrote in message
> > > > > news:vhoo4tq1anga5e@corp.supernews.com...
> > > > > > I've noticed that session variables will persist on Mac IE even[/color]
> > after[color=darkred]
> > > > all
> > > > > > browser windows have been closed. One must quit the program to[/color][/color]
> clear[color=green][color=darkred]
> > > the
> > > > > > session variables. This presents a security risk for my session
> > > variable
> > > > > > based security scheme.
> > > > > >
> > > > > > Basically, the risk is that a user will login to my site, close[/color][/color]
> the[color=green][color=darkred]
> > > > window
> > > > > > when done and allow someone else to come up to the machine, go[/color][/color]
> back[color=green]
> > to[color=darkred]
> > > > my
> > > > > > site and be logged into the previous user's account.
> > > > > >
> > > > > > Anyone know how to make session variables disappear when a[/color][/color][/color]
window[color=blue][color=green][color=darkred]
> > > > closes?
> > > > > > Any other ideas? Am I going to have to redesign my whole[/color][/color][/color]
security[color=blue][color=green][color=darkred]
> > > > scheme?
> > > > > >
> > > > > > Any suggestions are appreciated.
> > > > > >
> > > > > > Dave
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

re: Session Variables Persist Across Window Close on Mac IE 4.5 and Greater

Avoided MACs like the plague (still POed at Apple since I couldn't afford an
Apple II when I wanted one).
We did finally test our App against one last release. NS was a waste of
space, IE worked (sort of).

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
mschupp@ielearning.com
http://www.ielearning.com
714.637.9480 x17


"Pack Fan" <pack@fan.com> wrote in message
news:vhuko7lsi1i9ac@corp.supernews.com...[color=blue]
> You haven't used a Mac, have you? :) It's considered very bad form, on the
> Mac, to write an app that quits by closing a window. Since the menu bar
> isn't tied to a window it's still there when you close a window. All[/color]
windows[color=blue]
> closed? Just go select file:new to open a new one.
>
> "Mark Schupp" <mschupp@ielearning.com> wrote in message
> news:eVr3o5SUDHA.1588@TK2MSFTNGP11.phx.gbl...[color=green]
> > How can you still have to "quit IE" if you have closed all of its[/color][/color]
windows?[color=blue][color=green]
> >[color=darkred]
> > > I assume there's no way to make session vars private to a single[/color][/color][/color]
window[color=blue]
> on[color=green][color=darkred]
> > > Mac IE. At this point, all I can think to do is put up a warning.[/color]
> > Some people would call this a feature rather than a bug (having new[/color]
> windows[color=green]
> > share the same session).
> > I am not familiar with IE for Mac but you might check for any settings[/color][/color]
in[color=blue]
> IE[color=green]
> > named like "browse in new process".
> >
> > --
> > Mark Schupp
> > --
> > Head of Development
> > Integrity eLearning
> > Online Learning Solutions Provider
> > mschupp@ielearning.com
> > http://www.ielearning.com
> > 714.637.9480 x17
> >
> >
> > "Pack Fan" <pack@fan.com> wrote in message
> > news:vhrr18nddo4986@corp.supernews.com...[color=darkred]
> > > If you close all IE windows and re-open you'll still be logged in. You[/color]
> > have[color=darkred]
> > > to either quit IE, explicitly log out on the site or let the session[/color]
> > expire[color=darkred]
> > > to log out.
> > >
> > > I assume there's no way to make session vars private to a single[/color][/color][/color]
window[color=blue]
> on[color=green][color=darkred]
> > > Mac IE. At this point, all I can think to do is put up a warning.
> > >
> > > "Mark Schupp" <mschupp@ielearning.com> wrote in message
> > > news:u65KAhGUDHA.2008@TK2MSFTNGP11.phx.gbl...
> > > > If they close all the IE windows and re-open IE are they still[/color][/color][/color]
logged[color=blue][color=green]
> > on?[color=darkred]
> > > >
> > > > --
> > > > Mark Schupp
> > > > --
> > > > Head of Development
> > > > Integrity eLearning
> > > > Online Learning Solutions Provider
> > > > mschupp@ielearning.com
> > > > http://www.ielearning.com
> > > > 714.637.9480 x17
> > > >
> > > >
> > > > "Pack Fan" <pack@fan.com> wrote in message
> > > > news:vhp57p4ap4cpc1@corp.supernews.com...
> > > > > I'm not implementing session variables myself.
> > > > >
> > > > > I know you're right on the session vars being private to HTTP[/color][/color]
> sessions[color=green][color=darkred]
> > > on
> > > > > Windows. But it just isn't the case with IE on the Mac. I can open[/color][/color]
> one[color=green][color=darkred]
> > > > > window, login and then open a second which will also be logged in.[/color][/color]
> Log[color=green][color=darkred]
> > > out
> > > > > of the first one, refresh second, it's logged out, too.
> > > > >
> > > > > I'd call Session.Abandon on login, but it won't stop people from
> > > skipping
> > > > > the login page and going straight to "protected" pages.
> > > > >
> > > > > Don't know what to do.
> > > > >
> > > > > "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> > > > > news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...
> > > > > > Session variables are private to a HTTP session - a new browser[/color]
> > window[color=darkred]
> > > > > will
> > > > > > *not* get access to the previous session variables since the[/color][/color]
> cookie[color=green][color=darkred]
> > > that
> > > > > is
> > > > > > used to maintain session state is cleared when the browser[/color][/color][/color]
window[color=blue][color=green][color=darkred]
> > > opens
> > > > > (may
> > > > > > also be cleared when the window closes - not sure).
> > > > > >
> > > > > > Or perhaps you are implementing your own session state?
> > > > > >
> > > > > > Then again - Mac IE is useless anyway so perhaps you are right.[/color]
> > Please[color=darkred]
> > > > > > accept my apologies if this is the case. You could always call
> > > > > > 'Session.Abandon' on entering the login page to clear any[/color][/color][/color]
previous[color=blue][color=green][color=darkred]
> > > > > sessions.
> > > > > >
> > > > > > Chris.
> > > > > >
> > > > > > "Pack Fan" <pack@fan.com> wrote in message
> > > > > > news:vhoo4tq1anga5e@corp.supernews.com...
> > > > > > > I've noticed that session variables will persist on Mac IE[/color][/color][/color]
even[color=blue][color=green][color=darkred]
> > > after
> > > > > all
> > > > > > > browser windows have been closed. One must quit the program to[/color]
> > clear[color=darkred]
> > > > the
> > > > > > > session variables. This presents a security risk for my[/color][/color][/color]
session[color=blue][color=green][color=darkred]
> > > > variable
> > > > > > > based security scheme.
> > > > > > >
> > > > > > > Basically, the risk is that a user will login to my site,[/color][/color][/color]
close[color=blue][color=green]
> > the[color=darkred]
> > > > > window
> > > > > > > when done and allow someone else to come up to the machine, go[/color]
> > back[color=darkred]
> > > to
> > > > > my
> > > > > > > site and be logged into the previous user's account.
> > > > > > >
> > > > > > > Anyone know how to make session variables disappear when a[/color][/color]
> window[color=green][color=darkred]
> > > > > closes?
> > > > > > > Any other ideas? Am I going to have to redesign my whole[/color][/color]
> security[color=green][color=darkred]
> > > > > scheme?
> > > > > > >
> > > > > > > Any suggestions are appreciated.
> > > > > > >
> > > > > > > Dave
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

re: Session Variables Persist Across Window Close on Mac IE 4.5 and Greater

Just to add my two cents. We are using IE 6.0 for Windows and we are
having the same problem. A user logs in to our Web application, which
stores information in the session variables. If they close the
browser without logging out of the application they can some times
open the browser again and it will skip the log in page because the
session information has been retained. One user even said that she
rebooted and it still happened, though I didn't see that.

The one time I did see it with my very own eyes, the user had another
IE Browser window open (to a different site). When I had her close
that other window, and try again, the Session information was deleted
and she was asked to log in again.

I'd love to hear if anyone else has run into this or has a solution.
Diane Y

"Mark Schupp" <mschupp@ielearning.com> wrote in message news:<u65KAhGUDHA.2008@TK2MSFTNGP11.phx.gbl>...[color=blue]
> If they close all the IE windows and re-open IE are they still logged on?
>
> --
> Mark Schupp
> --
> Head of Development
> Integrity eLearning
> Online Learning Solutions Provider
> mschupp@ielearning.com
> http://www.ielearning.com
> 714.637.9480 x17
>
>
> "Pack Fan" <pack@fan.com> wrote in message
> news:vhp57p4ap4cpc1@corp.supernews.com...[color=green]
> > I'm not implementing session variables myself.
> >
> > I know you're right on the session vars being private to HTTP sessions on
> > Windows. But it just isn't the case with IE on the Mac. I can open one
> > window, login and then open a second which will also be logged in. Log out
> > of the first one, refresh second, it's logged out, too.
> >
> > I'd call Session.Abandon on login, but it won't stop people from skipping
> > the login page and going straight to "protected" pages.
> >
> > Don't know what to do.
> >
> > "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> > news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...[color=darkred]
> > > Session variables are private to a HTTP session - a new browser window[/color][/color]
> will[color=green][color=darkred]
> > > *not* get access to the previous session variables since the cookie that[/color][/color]
> is[color=green][color=darkred]
> > > used to maintain session state is cleared when the browser window opens[/color][/color]
> (may[color=green][color=darkred]
> > > also be cleared when the window closes - not sure).
> > >
> > > Or perhaps you are implementing your own session state?
> > >
> > > Then again - Mac IE is useless anyway so perhaps you are right. Please
> > > accept my apologies if this is the case. You could always call
> > > 'Session.Abandon' on entering the login page to clear any previous[/color][/color]
> sessions.[color=green][color=darkred]
> > >
> > > Chris.
> > >
> > > "Pack Fan" <pack@fan.com> wrote in message
> > > news:vhoo4tq1anga5e@corp.supernews.com...
> > > > I've noticed that session variables will persist on Mac IE even after[/color][/color]
> all[color=green][color=darkred]
> > > > browser windows have been closed. One must quit the program to clear[/color][/color]
> the[color=green][color=darkred]
> > > > session variables. This presents a security risk for my session[/color][/color]
> variable[color=green][color=darkred]
> > > > based security scheme.
> > > >
> > > > Basically, the risk is that a user will login to my site, close the[/color][/color]
> window[color=green][color=darkred]
> > > > when done and allow someone else to come up to the machine, go back to[/color][/color]
> my[color=green][color=darkred]
> > > > site and be logged into the previous user's account.
> > > >
> > > > Anyone know how to make session variables disappear when a window[/color][/color]
> closes?[color=green][color=darkred]
> > > > Any other ideas? Am I going to have to redesign my whole security[/color][/color]
> scheme?[color=green][color=darkred]
> > > >
> > > > Any suggestions are appreciated.
> > > >
> > > > Dave
> > > >
> > > >
> > >
> > >[/color]
> >
> >[/color][/color]