By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,952 Members | 1,908 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,952 IT Pros & Developers. It's quick & easy.

Session Variables Persist Across Window Close on Mac IE 4.5 and Greater

P: n/a
I've noticed that session variables will persist on Mac IE even after all
browser windows have been closed. One must quit the program to clear the
session variables. This presents a security risk for my session variable
based security scheme.

Basically, the risk is that a user will login to my site, close the window
when done and allow someone else to come up to the machine, go back to my
site and be logged into the previous user's account.

Anyone know how to make session variables disappear when a window closes?
Any other ideas? Am I going to have to redesign my whole security scheme?

Any suggestions are appreciated.

Dave
Jul 19 '05 #1
Share this Question
Share on Google+
9 Replies


P: n/a
Looks more of an issue with the IE version you are using on your machine.
Check support.microsoft.com to see if such an issue is already recognized,
and remedy if any.

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
I've noticed that session variables will persist on Mac IE even after all
browser windows have been closed. One must quit the program to clear the
session variables. This presents a security risk for my session variable
based security scheme.

Basically, the risk is that a user will login to my site, close the window
when done and allow someone else to come up to the machine, go back to my
site and be logged into the previous user's account.

Anyone know how to make session variables disappear when a window closes?
Any other ideas? Am I going to have to redesign my whole security scheme?

Any suggestions are appreciated.

Dave

Jul 19 '05 #2

P: n/a
I've been unable to find anything regarding this on support.microsoft.com. I
can't find anything of substance on IE for the Mac.

"Manohar Kamath [MVP]" <mk*****@TAKETHISOUTkamath.com> wrote in message
news:ew**************@TK2MSFTNGP12.phx.gbl...
Looks more of an issue with the IE version you are using on your machine.
Check support.microsoft.com to see if such an issue is already recognized,
and remedy if any.

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
I've noticed that session variables will persist on Mac IE even after all browser windows have been closed. One must quit the program to clear the
session variables. This presents a security risk for my session variable
based security scheme.

Basically, the risk is that a user will login to my site, close the window when done and allow someone else to come up to the machine, go back to my site and be logged into the previous user's account.

Anyone know how to make session variables disappear when a window closes? Any other ideas? Am I going to have to redesign my whole security scheme?
Any suggestions are appreciated.

Dave


Jul 19 '05 #3

P: n/a
If its an ASP site then use Global.asa to redirect to the login page if a
particluar session variable is not set -- once logged in then set it.
Of course this is all based on the understanding that session is not
persisted across windows on the same machine. Just tested it on W2K and the
session is not 'shared' across two windows.

Oh well - a warning should suffice to Mac users that multiple windows on the
same machine will have issues.

Chris.
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
I'm not implementing session variables myself.

I know you're right on the session vars being private to HTTP sessions on
Windows. But it just isn't the case with IE on the Mac. I can open one
window, login and then open a second which will also be logged in. Log out
of the first one, refresh second, it's logged out, too.

I'd call Session.Abandon on login, but it won't stop people from skipping
the login page and going straight to "protected" pages.

Don't know what to do.

"Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
news:O5**************@TK2MSFTNGP10.phx.gbl...
Session variables are private to a HTTP session - a new browser window

will
*not* get access to the previous session variables since the cookie that

is
used to maintain session state is cleared when the browser window opens

(may
also be cleared when the window closes - not sure).

Or perhaps you are implementing your own session state?

Then again - Mac IE is useless anyway so perhaps you are right. Please
accept my apologies if this is the case. You could always call
'Session.Abandon' on entering the login page to clear any previous

sessions.

Chris.

"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
I've noticed that session variables will persist on Mac IE even after all browser windows have been closed. One must quit the program to clear the session variables. This presents a security risk for my session variable based security scheme.

Basically, the risk is that a user will login to my site, close the window when done and allow someone else to come up to the machine, go back to my site and be logged into the previous user's account.

Anyone know how to make session variables disappear when a window closes? Any other ideas? Am I going to have to redesign my whole security scheme?
Any suggestions are appreciated.

Dave



Jul 19 '05 #4

P: n/a
If they close all the IE windows and re-open IE are they still logged on?

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
I'm not implementing session variables myself.

I know you're right on the session vars being private to HTTP sessions on
Windows. But it just isn't the case with IE on the Mac. I can open one
window, login and then open a second which will also be logged in. Log out
of the first one, refresh second, it's logged out, too.

I'd call Session.Abandon on login, but it won't stop people from skipping
the login page and going straight to "protected" pages.

Don't know what to do.

"Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
news:O5**************@TK2MSFTNGP10.phx.gbl...
Session variables are private to a HTTP session - a new browser window

will
*not* get access to the previous session variables since the cookie that

is
used to maintain session state is cleared when the browser window opens

(may
also be cleared when the window closes - not sure).

Or perhaps you are implementing your own session state?

Then again - Mac IE is useless anyway so perhaps you are right. Please
accept my apologies if this is the case. You could always call
'Session.Abandon' on entering the login page to clear any previous

sessions.

Chris.

"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
I've noticed that session variables will persist on Mac IE even after all browser windows have been closed. One must quit the program to clear the session variables. This presents a security risk for my session variable based security scheme.

Basically, the risk is that a user will login to my site, close the window when done and allow someone else to come up to the machine, go back to my site and be logged into the previous user's account.

Anyone know how to make session variables disappear when a window closes? Any other ideas? Am I going to have to redesign my whole security scheme?
Any suggestions are appreciated.

Dave



Jul 19 '05 #5

P: n/a
If you close all IE windows and re-open you'll still be logged in. You have
to either quit IE, explicitly log out on the site or let the session expire
to log out.

I assume there's no way to make session vars private to a single window on
Mac IE. At this point, all I can think to do is put up a warning.

"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:u6**************@TK2MSFTNGP11.phx.gbl...
If they close all the IE windows and re-open IE are they still logged on?

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
I'm not implementing session variables myself.

I know you're right on the session vars being private to HTTP sessions on
Windows. But it just isn't the case with IE on the Mac. I can open one
window, login and then open a second which will also be logged in. Log out of the first one, refresh second, it's logged out, too.

I'd call Session.Abandon on login, but it won't stop people from skipping the login page and going straight to "protected" pages.

Don't know what to do.

"Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
news:O5**************@TK2MSFTNGP10.phx.gbl...
Session variables are private to a HTTP session - a new browser window

will
*not* get access to the previous session variables since the cookie
that is
used to maintain session state is cleared when the browser window
opens (may
also be cleared when the window closes - not sure).

Or perhaps you are implementing your own session state?

Then again - Mac IE is useless anyway so perhaps you are right. Please
accept my apologies if this is the case. You could always call
'Session.Abandon' on entering the login page to clear any previous

sessions.

Chris.

"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
> I've noticed that session variables will persist on Mac IE even
after all
> browser windows have been closed. One must quit the program to clear the > session variables. This presents a security risk for my session variable > based security scheme.
>
> Basically, the risk is that a user will login to my site, close the

window
> when done and allow someone else to come up to the machine, go back

to my
> site and be logged into the previous user's account.
>
> Anyone know how to make session variables disappear when a window

closes?
> Any other ideas? Am I going to have to redesign my whole security

scheme?
>
> Any suggestions are appreciated.
>
> Dave
>
>



Jul 19 '05 #6

P: n/a
How can you still have to "quit IE" if you have closed all of its windows?
I assume there's no way to make session vars private to a single window on
Mac IE. At this point, all I can think to do is put up a warning. Some people would call this a feature rather than a bug (having new windows
share the same session).
I am not familiar with IE for Mac but you might check for any settings in IE
named like "browse in new process".

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... If you close all IE windows and re-open you'll still be logged in. You have to either quit IE, explicitly log out on the site or let the session expire to log out.

I assume there's no way to make session vars private to a single window on
Mac IE. At this point, all I can think to do is put up a warning.

"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:u6**************@TK2MSFTNGP11.phx.gbl...
If they close all the IE windows and re-open IE are they still logged on?

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
I'm not implementing session variables myself.

I know you're right on the session vars being private to HTTP sessions on Windows. But it just isn't the case with IE on the Mac. I can open one
window, login and then open a second which will also be logged in. Log out of the first one, refresh second, it's logged out, too.

I'd call Session.Abandon on login, but it won't stop people from skipping the login page and going straight to "protected" pages.

Don't know what to do.

"Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
news:O5**************@TK2MSFTNGP10.phx.gbl...
> Session variables are private to a HTTP session - a new browser window will
> *not* get access to the previous session variables since the cookie that is
> used to maintain session state is cleared when the browser window opens (may
> also be cleared when the window closes - not sure).
>
> Or perhaps you are implementing your own session state?
>
> Then again - Mac IE is useless anyway so perhaps you are right. Please > accept my apologies if this is the case. You could always call
> 'Session.Abandon' on entering the login page to clear any previous
sessions.
>
> Chris.
>
> "Pack Fan" <pa**@fan.com> wrote in message
> news:vh************@corp.supernews.com...
> > I've noticed that session variables will persist on Mac IE even after all
> > browser windows have been closed. One must quit the program to clear the
> > session variables. This presents a security risk for my session variable
> > based security scheme.
> >
> > Basically, the risk is that a user will login to my site, close
the window
> > when done and allow someone else to come up to the machine, go

back to my
> > site and be logged into the previous user's account.
> >
> > Anyone know how to make session variables disappear when a window
closes?
> > Any other ideas? Am I going to have to redesign my whole security
scheme?
> >
> > Any suggestions are appreciated.
> >
> > Dave
> >
> >
>
>



Jul 19 '05 #7

P: n/a
You haven't used a Mac, have you? :) It's considered very bad form, on the
Mac, to write an app that quits by closing a window. Since the menu bar
isn't tied to a window it's still there when you close a window. All windows
closed? Just go select file:new to open a new one.

"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:eV**************@TK2MSFTNGP11.phx.gbl...
How can you still have to "quit IE" if you have closed all of its windows?
I assume there's no way to make session vars private to a single window on
Mac IE. At this point, all I can think to do is put up a warning. Some people would call this a feature rather than a bug (having new

windows share the same session).
I am not familiar with IE for Mac but you might check for any settings in IE named like "browse in new process".

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
If you close all IE windows and re-open you'll still be logged in. You

have
to either quit IE, explicitly log out on the site or let the session

expire
to log out.

I assume there's no way to make session vars private to a single window on Mac IE. At this point, all I can think to do is put up a warning.

"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:u6**************@TK2MSFTNGP11.phx.gbl...
If they close all the IE windows and re-open IE are they still logged on?
--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
> I'm not implementing session variables myself.
>
> I know you're right on the session vars being private to HTTP sessions on
> Windows. But it just isn't the case with IE on the Mac. I can open
one > window, login and then open a second which will also be logged in. Log
out
> of the first one, refresh second, it's logged out, too.
>
> I'd call Session.Abandon on login, but it won't stop people from

skipping
> the login page and going straight to "protected" pages.
>
> Don't know what to do.
>
> "Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
> news:O5**************@TK2MSFTNGP10.phx.gbl...
> > Session variables are private to a HTTP session - a new browser window > will
> > *not* get access to the previous session variables since the
cookie that
> is
> > used to maintain session state is cleared when the browser window

opens
> (may
> > also be cleared when the window closes - not sure).
> >
> > Or perhaps you are implementing your own session state?
> >
> > Then again - Mac IE is useless anyway so perhaps you are right.

Please > > accept my apologies if this is the case. You could always call
> > 'Session.Abandon' on entering the login page to clear any previous
> sessions.
> >
> > Chris.
> >
> > "Pack Fan" <pa**@fan.com> wrote in message
> > news:vh************@corp.supernews.com...
> > > I've noticed that session variables will persist on Mac IE even

after
> all
> > > browser windows have been closed. One must quit the program to clear the
> > > session variables. This presents a security risk for my session
variable
> > > based security scheme.
> > >
> > > Basically, the risk is that a user will login to my site, close the > window
> > > when done and allow someone else to come up to the machine, go

back
to
> my
> > > site and be logged into the previous user's account.
> > >
> > > Anyone know how to make session variables disappear when a

window > closes?
> > > Any other ideas? Am I going to have to redesign my whole security > scheme?
> > >
> > > Any suggestions are appreciated.
> > >
> > > Dave
> > >
> > >
> >
> >
>
>



Jul 19 '05 #8

P: n/a
Avoided MACs like the plague (still POed at Apple since I couldn't afford an
Apple II when I wanted one).
We did finally test our App against one last release. NS was a waste of
space, IE worked (sort of).

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
You haven't used a Mac, have you? :) It's considered very bad form, on the
Mac, to write an app that quits by closing a window. Since the menu bar
isn't tied to a window it's still there when you close a window. All windows closed? Just go select file:new to open a new one.

"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:eV**************@TK2MSFTNGP11.phx.gbl...
How can you still have to "quit IE" if you have closed all of its windows?
I assume there's no way to make session vars private to a single window
on Mac IE. At this point, all I can think to do is put up a warning. Some people would call this a feature rather than a bug (having new

windows
share the same session).
I am not familiar with IE for Mac but you might check for any settings in IE
named like "browse in new process".

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
If you close all IE windows and re-open you'll still be logged in. You have
to either quit IE, explicitly log out on the site or let the session

expire
to log out.

I assume there's no way to make session vars private to a single
window on Mac IE. At this point, all I can think to do is put up a warning.

"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:u6**************@TK2MSFTNGP11.phx.gbl...
> If they close all the IE windows and re-open IE are they still
logged on?
>
> --
> Mark Schupp
> --
> Head of Development
> Integrity eLearning
> Online Learning Solutions Provider
> ms*****@ielearning.com
> http://www.ielearning.com
> 714.637.9480 x17
>
>
> "Pack Fan" <pa**@fan.com> wrote in message
> news:vh************@corp.supernews.com...
> > I'm not implementing session variables myself.
> >
> > I know you're right on the session vars being private to HTTP sessions on
> > Windows. But it just isn't the case with IE on the Mac. I can open one > > window, login and then open a second which will also be logged in. Log out
> > of the first one, refresh second, it's logged out, too.
> >
> > I'd call Session.Abandon on login, but it won't stop people from
skipping
> > the login page and going straight to "protected" pages.
> >
> > Don't know what to do.
> >
> > "Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
> > news:O5**************@TK2MSFTNGP10.phx.gbl...
> > > Session variables are private to a HTTP session - a new browser

window
> > will
> > > *not* get access to the previous session variables since the cookie that
> > is
> > > used to maintain session state is cleared when the browser
window opens
> > (may
> > > also be cleared when the window closes - not sure).
> > >
> > > Or perhaps you are implementing your own session state?
> > >
> > > Then again - Mac IE is useless anyway so perhaps you are right.

Please
> > > accept my apologies if this is the case. You could always call
> > > 'Session.Abandon' on entering the login page to clear any previous > > sessions.
> > >
> > > Chris.
> > >
> > > "Pack Fan" <pa**@fan.com> wrote in message
> > > news:vh************@corp.supernews.com...
> > > > I've noticed that session variables will persist on Mac IE even after
> > all
> > > > browser windows have been closed. One must quit the program to

clear
> the
> > > > session variables. This presents a security risk for my session > variable
> > > > based security scheme.
> > > >
> > > > Basically, the risk is that a user will login to my site,

close the
> > window
> > > > when done and allow someone else to come up to the machine, go

back
to
> > my
> > > > site and be logged into the previous user's account.
> > > >
> > > > Anyone know how to make session variables disappear when a

window > > closes?
> > > > Any other ideas? Am I going to have to redesign my whole security > > scheme?
> > > >
> > > > Any suggestions are appreciated.
> > > >
> > > > Dave
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Jul 19 '05 #9

P: n/a
Just to add my two cents. We are using IE 6.0 for Windows and we are
having the same problem. A user logs in to our Web application, which
stores information in the session variables. If they close the
browser without logging out of the application they can some times
open the browser again and it will skip the log in page because the
session information has been retained. One user even said that she
rebooted and it still happened, though I didn't see that.

The one time I did see it with my very own eyes, the user had another
IE Browser window open (to a different site). When I had her close
that other window, and try again, the Session information was deleted
and she was asked to log in again.

I'd love to hear if anyone else has run into this or has a solution.
Diane Y

"Mark Schupp" <ms*****@ielearning.com> wrote in message news:<u6**************@TK2MSFTNGP11.phx.gbl>...
If they close all the IE windows and re-open IE are they still logged on?

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
I'm not implementing session variables myself.

I know you're right on the session vars being private to HTTP sessions on
Windows. But it just isn't the case with IE on the Mac. I can open one
window, login and then open a second which will also be logged in. Log out
of the first one, refresh second, it's logged out, too.

I'd call Session.Abandon on login, but it won't stop people from skipping
the login page and going straight to "protected" pages.

Don't know what to do.

"Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
news:O5**************@TK2MSFTNGP10.phx.gbl...
Session variables are private to a HTTP session - a new browser window will *not* get access to the previous session variables since the cookie that is used to maintain session state is cleared when the browser window opens (may also be cleared when the window closes - not sure).

Or perhaps you are implementing your own session state?

Then again - Mac IE is useless anyway so perhaps you are right. Please
accept my apologies if this is the case. You could always call
'Session.Abandon' on entering the login page to clear any previous sessions.
Chris.

"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
> I've noticed that session variables will persist on Mac IE even after all > browser windows have been closed. One must quit the program to clear the > session variables. This presents a security risk for my session variable > based security scheme.
>
> Basically, the risk is that a user will login to my site, close the window > when done and allow someone else to come up to the machine, go back to my > site and be logged into the previous user's account.
>
> Anyone know how to make session variables disappear when a window closes? > Any other ideas? Am I going to have to redesign my whole security scheme? >
> Any suggestions are appreciated.
>
> Dave
>
>


Jul 19 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.