I've noticed that in my ASP application that session variables are not carried over from
one IE6 open browser window to another.
Can anyone tell me how IE can do this? It seems like it's a useful protection mechanism
that I can add to my application.
BTW, I'm looking for a way to determine if someone is moving cookies between computers.
How IE and/or ASP handles sessions might give me some insights (and I'm open to
suggestions as to how to prevent cookie stealing?)
Thanks,
Bill.
7  2017 
<WARNING: THIS IS THE REAL THING, not an april fools day drill>
Bill wrote on 01 apr 2006 in microsoft.publi c.inetserver.as p.general: I've noticed that in my ASP application that session variables are not
carried over from one IE6 open browser window to another.
Can anyone tell me how IE can do this? It seems like it's a useful
protection mechanism that I can add to my application.
Session variables [in the ASP sense] are strictly serverside values, and
are only accessable thue asp. To get them into the html steam by value,
do:
<br>my height is : <%=myHeight %> cm<br>
The browser knows nothing about those session variables.
The only thing that the browser does is store the session-id as a "ram-
cookie" [= a cookie without a set expiration date+time] to identify the
session to the server.
BTW, I'm looking for a way to determine if someone is moving cookies
between computers.
Never met one. This seems another subject, so preferably you would start
a new thread.
How IE and/or ASP handles sessions might give me
some insights
See above. The session in this sense only has meaning on the server.
(and I'm open to suggestions as to how to prevent cookie
stealing?)
ask: <http://tinyurl.com/s5l2s>
=============== =====
BTW: client side there is also a session in a sense, meaning the time
during which the browser is "on" and retains it's ram-cookies, that
therefore rather confusingly are called session-cookies. There is no
connection between these two things called session, except that the end
of this "client-session" unmistakenly ends the session-id of the asp
server session.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Bill wrote: I've noticed that in my ASP application that session variables are
not carried over from one IE6 open browser window to another.
I have not noticed that. In fact, I've noticed that I have to close all
browser windows in order to force a new session to be started on my machine.
Can anyone tell me how IE can do this? It seems like it's a useful
protection mechanism that I can add to my application.
BTW, I'm looking for a way to determine if someone is moving cookies
between computers. How IE and/or ASP handles sessions might give me
some insights (and I'm open to suggestions as to how to prevent
cookie stealing?)
You may be thinking of cross-site scriipting (XSS). There was a XSS
vulnerability in HotMail that allowed a users .Net Passport session cookies
to be stolen (that vulnerability has since been plugged). There are a few
good links about that via Google: http://www.google.com/search?hl=en&q...ipting&spell=1
For other ways: http://www.google.com/search?hl=en&lr=&q=steal+cookies
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
"Bob Barrows [MVP]" wrote: I have not noticed that. In fact, I've noticed that I have to
close all browser windows in order to force a new session to
be started on my machine.
Then I suggest you have not looked very hard, Bob. This is hinted at here... http://aspfaq.com/show.asp?id=2157
....and easy to confirm for yourself. Create a script that does nothing more
than display the session ID. Browse to it with IE. Open another instance of
IE FROM WINDOWS (Start:Run:iexp lore.exe) and see your new session ID. Open a
new window FROM IE (CTRL+N) and see the shared session ID.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Dave Anderson wrote: "Bob Barrows [MVP]" wrote: I have not noticed that. In fact, I've noticed that I have to
close all browser windows in order to force a new session to
be started on my machine.
Then I suggest you have not looked very hard, Bob. This is hinted at
here... http://aspfaq.com/show.asp?id=2157
...and easy to confirm for yourself. Create a script that does
nothing more than display the session ID. Browse to it with IE. Open
another instance of IE FROM WINDOWS (Start:Run:iexp lore.exe) and see
your new session ID. Open a new window FROM IE (CTRL+N) and see the
shared session ID.
Exactly. That's what I'm talking about. All pages have to be closed before a
new session id is created. The OP was saying that he noticed the opposite
occurring ,,, I think ... let me check ... right, he said " ... session
variables are not carried over from one IE6 open browser window to another
.... ". I have never seen this behavior.
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
"Bob Barrows [MVP]" wrote: Create a script that does nothing more than display the
session ID. Browse to it with IE. Open another instance
of IE FROM WINDOWS (Start:Run:iexp lore.exe) and see your
new session ID. Open a new window FROM IE (CTRL+N) and
see the shared session ID.
Exactly. That's what I'm talking about. All pages have to
be closed before a new session id is created.
Uh - you seem to have read what I wrote to mean the opposite of what I
intended. Read it again, but pretend I did not forget to mention that you
should leave all windows open as you proceed. Two of the windows will share
a session ID, while the third will have its own.
" ... session variables are not carried over from one IE6
open browser window to another ... ". I have never seen
this behavior.
Looking back at the link I posted, note:
3. Check that you aren't expecting to maintain session
variables across:
* Browser windows (see Article #2172)
* Framesets (see KB #178037 and KB #323752)
* etc.
This is a well-known and long-standing problem with IE. I have observed
instances where users could affect the session behavior (between popup
windows and their openers) by changing the number of applications running on
the client machine[1].
What's especially troubling about this setting is that it affects *all*
transient cookies, not just ASP session ones. This is a real pain in the
posterior, IMO. The least Microsoft could have done when implementing[2]
this is give the developer a means (like a switch in the window.open
parameters) to explicitly choose one way or the other.
-
[1] No kidding. My best guess for the reason is that IE chooses when to use
the "browse new windows in a separate process" setting based on local
resources. KB 240928 says this is a function of physical RAM, but I have
observed differently.
[2] I prefer "thrusting upon us" to "implementi ng", in this case.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
"Dave Anderson" <GT**********@s pammotel.com> wrote in message
news:12******** *****@corp.supe rnews.com... "Bob Barrows [MVP]" wrote: Create a script that does nothing more than display the
session ID. Browse to it with IE. Open another instance
of IE FROM WINDOWS (Start:Run:iexp lore.exe) and see your
new session ID. Open a new window FROM IE (CTRL+N) and
see the shared session ID.
Exactly. That's what I'm talking about. All pages have to
be closed before a new session id is created.
Uh - you seem to have read what I wrote to mean the opposite of what I
intended. Read it again, but pretend I did not forget to mention that you
should leave all windows open as you proceed. Two of the windows will
share a session ID, while the third will have its own.
" ... session variables are not carried over from one IE6
open browser window to another ... ". I have never seen
this behavior.
Looking back at the link I posted, note:
3. Check that you aren't expecting to maintain session
variables across:
* Browser windows (see Article #2172)
* Framesets (see KB #178037 and KB #323752)
* etc.
This is a well-known and long-standing problem with IE. I have observed
instances where users could affect the session behavior (between popup
windows and their openers) by changing the number of applications running
on the client machine[1].
What's especially troubling about this setting is that it affects *all*
transient cookies, not just ASP session ones. This is a real pain in the
posterior, IMO. The least Microsoft could have done when implementing[2]
this is give the developer a means (like a switch in the window.open
parameters) to explicitly choose one way or the other.
-
[1] No kidding. My best guess for the reason is that IE chooses when to
use the "browse new windows in a separate process" setting based on local
resources. KB 240928 says this is a function of physical RAM, but I have
observed differently.
[2] I prefer "thrusting upon us" to "implementi ng", in this case.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message.
Use of this email address implies consent to these terms. Please do not
contact me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Dave,
I have to admit I believe I have observed this problem myself. However all
attempts at a reproduction have failed. The scenario most commonly reported
to me by clients is this. IE browser window opened on an intranet site
which requires a login. An email with a link to a page on the same intranet
site is clicked but the user is asked to login. User posts a support call
to effect they have already logged in why to they need to do it again?
I then attempt to reproduce and am unable to repeatable produce it, although
I have occasionally seen it myself.
Most of the articles you refer to a pretty out of date, refering to IE 4 and
5. The bugs mentioned have been fixed since 5.5. For example the 'open in
new process' setting is now set when 'there is more than 32MB of RAM' which
today means it's always set. But it's referring to launching from shell not
when opening a new window from a link in an existing browser window or from
script running in IE.
The only current article (by that I mean one affecting IE6) refers to
framesets using different host paths which quite rightly will not forward
the sessionID cookie.
Ultimately I suspect the problems I have seen are a result of using
different names to access the same server (that the intranet is access using
host name only but the email contains FQDNs)
Anthony.
Anthony Jones wrote: I have to admit I believe I have observed this problem myself.
However all attempts at a reproduction have failed. The scenario
most commonly reported to me by clients is this. IE browser window
opened on an intranet site which requires a login. An email with a
link to a page on the same intranet site is clicked but the user is
asked to login. User posts a support call to effect they have
already logged in why to they need to do it again?
I then attempt to reproduce and am unable to repeatable produce it,
although I have occasionally seen it myself.
Most of the articles you refer to a pretty out of date, refering to
IE 4 and 5. The bugs mentioned have been fixed since 5.5. For example
the 'open in new process' setting is now set when 'there is more than
32MB of RAM' which today means it's always set. But it's referring to
launching from shell not when opening a new window from a link in an
existing browser window or from script running in IE.
I am aware of all of these points. It occurred to me that the KB is not
fessing up completely, however. Witness the fact that I have observed
behavioral changes based on the number of running apps and windows opened by
the browser (not the shell). This suggests (1) that the "browse in a new
process" setting looks at available memory rather than physical memory, and
(2) that the issue is broader than suggested in the article.
The only current article (by that I mean one affecting IE6) refers
to framesets using different host paths which quite rightly will not
forward the sessionID cookie.
Ultimately I suspect the problems I have seen are a result of using
different names to access the same server (that the intranet is
access using host name only but the email contains FQDNs)
If this is a problem on your intranet, you may improve things by making sure
the clients have you in their [Trusted Sites] zones. On your public site,
P3P headers may help.
I say "may" in both cases because it helped us, but I can find no MSDN
explanation for it. MSDN has a lot to say about cookies and P3P, but nothing
about sharing cookies between browser windows.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Al Jones |
last post by:
This is a repost form the vbscript newgroup - if this isn't the appropriate
group would you point me toward one that is.
Basically, I seem to be losing session data part way though preparing an
email from (possibly) three seperate forms.
the following code is the end of a routine which stashes data from the first
form
off to session variables and then redirects itself to the proper form /
procedure depending upon the state of two...
|
by: Lina Manjarres |
last post by:
Hello,
I have a session variable in a login page. Then I go to a form page where I
uses the ProfileID and the UserID. Then I go to a result page where I would
like to use the UserID as a filter, but I can't get the value is stored in it.
How can I do that?
Thanks a lot!
|
by: PJ |
last post by:
A particular page seems to be having issues with correctly setting Session
variables. I am setting a couple of session variables on the Page_Unload
event. While stepping through code, the immediate window will show the
values in Session after the relevant lines that set the variables in the
Page_Unload event. However, on postback, these variables are no longer in
Session. All Session variables that were set previous to that particular...
|
by: Harry Simpson |
last post by:
I've come from the old ASP camp where session variables were not used. When
i started using ASP.NET in 2001, I started using them again because it was
ok from what I'd read.
I've been merrily using Session variables for three years now and i'm
entering a project with my new boss who has never quite come around that
session variables are ok.
What's the concensus here. How can i convince him that they are ok in
ASP.NET. OR
|
by: tshad |
last post by:
I have been using the default session state (InProc) and have found that I
have been loosing my information after a period of time (normally 20
minutes).
Is there anyway to find out how much more time I have on a session?
If I do a refresh, does reset the session clock?
Do you have have to go to another page to reset the session timeout or will
a postback also do it? This is important as we have a few pages that a user
| | |
by: Alan Wang |
last post by:
Hi there,
Once my application gets complicated and complicated. I found it's really
hard to keep track of Session value I am using in my asp.net application. I
am just wondering if anyone have any experience on how to keep track of
session value. Any help it's appreciated.
Thanks
Alan
|
by: Phillip N Rounds |
last post by:
I'm writing a user control which has two states: Active & InActive. I
additionally am required that there to be only one active control per page,
and all logic has to be contained within the control.
In its inactive state, only a single button appears. If the user clicks on
this button, the control becomes active( the rest of the control's
functionality becomes visible), and all other instances of this user control
on the page should...
|
by: BillE |
last post by:
When a user opens a new IE browser window using File-New-Window the
integrity of an application which relies on session state is COMPLETELY
undermined. Anyone who overlooks the fact that File-New-Window creates an
instance of IE in the same process with the same SessionID as the parent
window is in big trouble. This fundamentally restricts the usefullness of
using session state management.
I probably missed it somewhere - can...
|
by: BillE |
last post by:
Some ASP.NET applications use Session Variables extensively to maintain
state.
These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.
This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This cannot
be prevented.
|
by: MrHelpMe |
last post by:
Hello again all,
I've finished my whole application and now I don't like the whole
session variables that I am using. I have a form, user fills in info
clicks submit and using CDOSYSMail an email link gets created with an
encoded query string. i.e
http://www.yahoo.ca?#$@%@&#%#$@&^@%# which translates into
http://www.yahoo.ca?userID=54&LocationID=Denver.
Now when the user get's this email and clicks on the link I have a
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
