I've noticed that session variables will persist on Mac IE even after all
browser windows have been closed. One must quit the program to clear the
session variables. This presents a security risk for my session variable
based security scheme.
Basically, the risk is that a user will login to my site, close the window
when done and allow someone else to come up to the machine, go back to my
site and be logged into the previous user's account.
Anyone know how to make session variables disappear when a window closes?
Any other ideas? Am I going to have to redesign my whole security scheme?
Any suggestions are appreciated.
Dave
9  3622 
Looks more of an issue with the IE version you are using on your machine.
Check support.microsoft.com to see if such an issue is already recognized,
and remedy if any.
--
Manohar Kamath
Editor, .netBooks www.dotnetbooks.com
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... I've noticed that session variables will persist on Mac IE even after all
browser windows have been closed. One must quit the program to clear the
session variables. This presents a security risk for my session variable
based security scheme.
Basically, the risk is that a user will login to my site, close the window
when done and allow someone else to come up to the machine, go back to my
site and be logged into the previous user's account.
Anyone know how to make session variables disappear when a window closes?
Any other ideas? Am I going to have to redesign my whole security scheme?
Any suggestions are appreciated.
Dave
I've been unable to find anything regarding this on support.microsoft.com. I
can't find anything of substance on IE for the Mac.
"Manohar Kamath [MVP]" <mk*****@TAKETHISOUTkamath.com> wrote in message
news:ew**************@TK2MSFTNGP12.phx.gbl... Looks more of an issue with the IE version you are using on your machine.
Check support.microsoft.com to see if such an issue is already recognized,
and remedy if any.
--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... I've noticed that session variables will persist on Mac IE even after
all browser windows have been closed. One must quit the program to clear the
session variables. This presents a security risk for my session variable
based security scheme.
Basically, the risk is that a user will login to my site, close the
window when done and allow someone else to come up to the machine, go back to
my site and be logged into the previous user's account.
Anyone know how to make session variables disappear when a window
closes? Any other ideas? Am I going to have to redesign my whole security
scheme?
Any suggestions are appreciated.
Dave
If its an ASP site then use Global.asa to redirect to the login page if a
particluar session variable is not set -- once logged in then set it.
Of course this is all based on the understanding that session is not
persisted across windows on the same machine. Just tested it on W2K and the
session is not 'shared' across two windows.
Oh well - a warning should suffice to Mac users that multiple windows on the
same machine will have issues.
Chris.
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... I'm not implementing session variables myself.
I know you're right on the session vars being private to HTTP sessions on
Windows. But it just isn't the case with IE on the Mac. I can open one
window, login and then open a second which will also be logged in. Log out
of the first one, refresh second, it's logged out, too.
I'd call Session.Abandon on login, but it won't stop people from skipping
the login page and going straight to "protected" pages.
Don't know what to do.
"Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
news:O5**************@TK2MSFTNGP10.phx.gbl... Session variables are private to a HTTP session - a new browser window
will *not* get access to the previous session variables since the cookie that
is used to maintain session state is cleared when the browser window opens
(may also be cleared when the window closes - not sure).
Or perhaps you are implementing your own session state?
Then again - Mac IE is useless anyway so perhaps you are right. Please
accept my apologies if this is the case. You could always call
'Session.Abandon' on entering the login page to clear any previous
sessions.
Chris.
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... I've noticed that session variables will persist on Mac IE even after all browser windows have been closed. One must quit the program to clear
the session variables. This presents a security risk for my session
variable based security scheme.
Basically, the risk is that a user will login to my site, close the window when done and allow someone else to come up to the machine, go back to my site and be logged into the previous user's account.
Anyone know how to make session variables disappear when a window closes? Any other ideas? Am I going to have to redesign my whole security scheme?
Any suggestions are appreciated.
Dave
If they close all the IE windows and re-open IE are they still logged on?
--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider ms*****@ielearning.com http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... I'm not implementing session variables myself.
I know you're right on the session vars being private to HTTP sessions on
Windows. But it just isn't the case with IE on the Mac. I can open one
window, login and then open a second which will also be logged in. Log out
of the first one, refresh second, it's logged out, too.
I'd call Session.Abandon on login, but it won't stop people from skipping
the login page and going straight to "protected" pages.
Don't know what to do.
"Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
news:O5**************@TK2MSFTNGP10.phx.gbl... Session variables are private to a HTTP session - a new browser window
will *not* get access to the previous session variables since the cookie that
is used to maintain session state is cleared when the browser window opens
(may also be cleared when the window closes - not sure).
Or perhaps you are implementing your own session state?
Then again - Mac IE is useless anyway so perhaps you are right. Please
accept my apologies if this is the case. You could always call
'Session.Abandon' on entering the login page to clear any previous
sessions.
Chris.
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... I've noticed that session variables will persist on Mac IE even after all browser windows have been closed. One must quit the program to clear
the session variables. This presents a security risk for my session
variable based security scheme.
Basically, the risk is that a user will login to my site, close the window when done and allow someone else to come up to the machine, go back to my site and be logged into the previous user's account.
Anyone know how to make session variables disappear when a window closes? Any other ideas? Am I going to have to redesign my whole security scheme?
Any suggestions are appreciated.
Dave
If you close all IE windows and re-open you'll still be logged in. You have
to either quit IE, explicitly log out on the site or let the session expire
to log out.
I assume there's no way to make session vars private to a single window on
Mac IE. At this point, all I can think to do is put up a warning.
"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:u6**************@TK2MSFTNGP11.phx.gbl... If they close all the IE windows and re-open IE are they still logged on?
--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... I'm not implementing session variables myself.
I know you're right on the session vars being private to HTTP sessions
on Windows. But it just isn't the case with IE on the Mac. I can open one
window, login and then open a second which will also be logged in. Log
out of the first one, refresh second, it's logged out, too.
I'd call Session.Abandon on login, but it won't stop people from
skipping the login page and going straight to "protected" pages.
Don't know what to do.
"Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
news:O5**************@TK2MSFTNGP10.phx.gbl... Session variables are private to a HTTP session - a new browser window
will *not* get access to the previous session variables since the cookie
that is used to maintain session state is cleared when the browser window
opens (may also be cleared when the window closes - not sure).
Or perhaps you are implementing your own session state?
Then again - Mac IE is useless anyway so perhaps you are right. Please
accept my apologies if this is the case. You could always call
'Session.Abandon' on entering the login page to clear any previous
sessions.
Chris.
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
> I've noticed that session variables will persist on Mac IE even
after all > browser windows have been closed. One must quit the program to clear the > session variables. This presents a security risk for my session variable > based security scheme.
>
> Basically, the risk is that a user will login to my site, close the
window > when done and allow someone else to come up to the machine, go back
to my > site and be logged into the previous user's account.
>
> Anyone know how to make session variables disappear when a window
closes? > Any other ideas? Am I going to have to redesign my whole security
scheme? >
> Any suggestions are appreciated.
>
> Dave
>
>
How can you still have to "quit IE" if you have closed all of its windows? I assume there's no way to make session vars private to a single window on
Mac IE. At this point, all I can think to do is put up a warning.
Some people would call this a feature rather than a bug (having new windows
share the same session).
I am not familiar with IE for Mac but you might check for any settings in IE
named like "browse in new process".
--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... If you close all IE windows and re-open you'll still be logged in. You
have to either quit IE, explicitly log out on the site or let the session
expire to log out.
I assume there's no way to make session vars private to a single window on
Mac IE. At this point, all I can think to do is put up a warning.
"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:u6**************@TK2MSFTNGP11.phx.gbl... If they close all the IE windows and re-open IE are they still logged
on?
--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... I'm not implementing session variables myself.
I know you're right on the session vars being private to HTTP sessions on Windows. But it just isn't the case with IE on the Mac. I can open one
window, login and then open a second which will also be logged in. Log out of the first one, refresh second, it's logged out, too.
I'd call Session.Abandon on login, but it won't stop people from skipping the login page and going straight to "protected" pages.
Don't know what to do.
"Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
news:O5**************@TK2MSFTNGP10.phx.gbl...
> Session variables are private to a HTTP session - a new browser
window will
> *not* get access to the previous session variables since the cookie that is
> used to maintain session state is cleared when the browser window opens (may
> also be cleared when the window closes - not sure).
>
> Or perhaps you are implementing your own session state?
>
> Then again - Mac IE is useless anyway so perhaps you are right.
Please > accept my apologies if this is the case. You could always call
> 'Session.Abandon' on entering the login page to clear any previous
sessions.
>
> Chris.
>
> "Pack Fan" <pa**@fan.com> wrote in message
> news:vh************@corp.supernews.com...
> > I've noticed that session variables will persist on Mac IE even after all
> > browser windows have been closed. One must quit the program to
clear the > > session variables. This presents a security risk for my session variable > > based security scheme.
> >
> > Basically, the risk is that a user will login to my site, close
the window
> > when done and allow someone else to come up to the machine, go
back to my
> > site and be logged into the previous user's account.
> >
> > Anyone know how to make session variables disappear when a window
closes?
> > Any other ideas? Am I going to have to redesign my whole security
scheme?
> >
> > Any suggestions are appreciated.
> >
> > Dave
> >
> >
>
>
You haven't used a Mac, have you? :) It's considered very bad form, on the
Mac, to write an app that quits by closing a window. Since the menu bar
isn't tied to a window it's still there when you close a window. All windows
closed? Just go select file:new to open a new one.
"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:eV**************@TK2MSFTNGP11.phx.gbl... How can you still have to "quit IE" if you have closed all of its windows?
I assume there's no way to make session vars private to a single window
on Mac IE. At this point, all I can think to do is put up a warning. Some people would call this a feature rather than a bug (having new
windows share the same session).
I am not familiar with IE for Mac but you might check for any settings in
IE named like "browse in new process".
--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... If you close all IE windows and re-open you'll still be logged in. You
have to either quit IE, explicitly log out on the site or let the session
expire to log out.
I assume there's no way to make session vars private to a single window
on Mac IE. At this point, all I can think to do is put up a warning.
"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:u6**************@TK2MSFTNGP11.phx.gbl... If they close all the IE windows and re-open IE are they still logged on?
--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
> I'm not implementing session variables myself.
>
> I know you're right on the session vars being private to HTTP
sessions on > Windows. But it just isn't the case with IE on the Mac. I can open
one > window, login and then open a second which will also be logged in.
Log out > of the first one, refresh second, it's logged out, too.
>
> I'd call Session.Abandon on login, but it won't stop people from
skipping > the login page and going straight to "protected" pages.
>
> Don't know what to do.
>
> "Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
> news:O5**************@TK2MSFTNGP10.phx.gbl...
> > Session variables are private to a HTTP session - a new browser window > will
> > *not* get access to the previous session variables since the
cookie that > is
> > used to maintain session state is cleared when the browser window
opens > (may
> > also be cleared when the window closes - not sure).
> >
> > Or perhaps you are implementing your own session state?
> >
> > Then again - Mac IE is useless anyway so perhaps you are right.
Please > > accept my apologies if this is the case. You could always call
> > 'Session.Abandon' on entering the login page to clear any previous
> sessions.
> >
> > Chris.
> >
> > "Pack Fan" <pa**@fan.com> wrote in message
> > news:vh************@corp.supernews.com...
> > > I've noticed that session variables will persist on Mac IE even
after > all
> > > browser windows have been closed. One must quit the program to clear the
> > > session variables. This presents a security risk for my session
variable
> > > based security scheme.
> > >
> > > Basically, the risk is that a user will login to my site, close the > window
> > > when done and allow someone else to come up to the machine, go
back to > my
> > > site and be logged into the previous user's account.
> > >
> > > Anyone know how to make session variables disappear when a
window > closes?
> > > Any other ideas? Am I going to have to redesign my whole
security > scheme?
> > >
> > > Any suggestions are appreciated.
> > >
> > > Dave
> > >
> > >
> >
> >
>
>
Avoided MACs like the plague (still POed at Apple since I couldn't afford an
Apple II when I wanted one).
We did finally test our App against one last release. NS was a waste of
space, IE worked (sort of).
--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider ms*****@ielearning.com http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... You haven't used a Mac, have you? :) It's considered very bad form, on the
Mac, to write an app that quits by closing a window. Since the menu bar
isn't tied to a window it's still there when you close a window. All
windows closed? Just go select file:new to open a new one.
"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:eV**************@TK2MSFTNGP11.phx.gbl... How can you still have to "quit IE" if you have closed all of its
windows? I assume there's no way to make session vars private to a single
window on Mac IE. At this point, all I can think to do is put up a warning. Some people would call this a feature rather than a bug (having new
windows share the same session).
I am not familiar with IE for Mac but you might check for any settings
in IE named like "browse in new process".
--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... If you close all IE windows and re-open you'll still be logged in. You have to either quit IE, explicitly log out on the site or let the session
expire to log out.
I assume there's no way to make session vars private to a single
window on Mac IE. At this point, all I can think to do is put up a warning.
"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:u6**************@TK2MSFTNGP11.phx.gbl...
> If they close all the IE windows and re-open IE are they still
logged on? >
> --
> Mark Schupp
> --
> Head of Development
> Integrity eLearning
> Online Learning Solutions Provider
> ms*****@ielearning.com
> http://www.ielearning.com
> 714.637.9480 x17
>
>
> "Pack Fan" <pa**@fan.com> wrote in message
> news:vh************@corp.supernews.com...
> > I'm not implementing session variables myself.
> >
> > I know you're right on the session vars being private to HTTP sessions on
> > Windows. But it just isn't the case with IE on the Mac. I can open one > > window, login and then open a second which will also be logged in. Log out
> > of the first one, refresh second, it's logged out, too.
> >
> > I'd call Session.Abandon on login, but it won't stop people from
skipping
> > the login page and going straight to "protected" pages.
> >
> > Don't know what to do.
> >
> > "Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
> > news:O5**************@TK2MSFTNGP10.phx.gbl...
> > > Session variables are private to a HTTP session - a new browser
window > > will
> > > *not* get access to the previous session variables since the cookie that
> > is
> > > used to maintain session state is cleared when the browser
window opens
> > (may
> > > also be cleared when the window closes - not sure).
> > >
> > > Or perhaps you are implementing your own session state?
> > >
> > > Then again - Mac IE is useless anyway so perhaps you are right.
Please > > > accept my apologies if this is the case. You could always call
> > > 'Session.Abandon' on entering the login page to clear any
previous > > sessions.
> > >
> > > Chris.
> > >
> > > "Pack Fan" <pa**@fan.com> wrote in message
> > > news:vh************@corp.supernews.com...
> > > > I've noticed that session variables will persist on Mac IE
even after
> > all
> > > > browser windows have been closed. One must quit the program to
clear > the
> > > > session variables. This presents a security risk for my
session > variable
> > > > based security scheme.
> > > >
> > > > Basically, the risk is that a user will login to my site,
close the > > window
> > > > when done and allow someone else to come up to the machine, go
back to
> > my
> > > > site and be logged into the previous user's account.
> > > >
> > > > Anyone know how to make session variables disappear when a
window > > closes?
> > > > Any other ideas? Am I going to have to redesign my whole security > > scheme?
> > > >
> > > > Any suggestions are appreciated.
> > > >
> > > > Dave
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Just to add my two cents. We are using IE 6.0 for Windows and we are
having the same problem. A user logs in to our Web application, which
stores information in the session variables. If they close the
browser without logging out of the application they can some times
open the browser again and it will skip the log in page because the
session information has been retained. One user even said that she
rebooted and it still happened, though I didn't see that.
The one time I did see it with my very own eyes, the user had another
IE Browser window open (to a different site). When I had her close
that other window, and try again, the Session information was deleted
and she was asked to log in again.
I'd love to hear if anyone else has run into this or has a solution.
Diane Y
"Mark Schupp" <ms*****@ielearning.com> wrote in message news:<u6**************@TK2MSFTNGP11.phx.gbl>... If they close all the IE windows and re-open IE are they still logged on?
--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com... I'm not implementing session variables myself.
I know you're right on the session vars being private to HTTP sessions on
Windows. But it just isn't the case with IE on the Mac. I can open one
window, login and then open a second which will also be logged in. Log out
of the first one, refresh second, it's logged out, too.
I'd call Session.Abandon on login, but it won't stop people from skipping
the login page and going straight to "protected" pages.
Don't know what to do.
"Chris Barber" <ch***@blue-canoe.co.uk.NOSPAM> wrote in message
news:O5**************@TK2MSFTNGP10.phx.gbl... Session variables are private to a HTTP session - a new browser window will *not* get access to the previous session variables since the cookie that is used to maintain session state is cleared when the browser window opens (may also be cleared when the window closes - not sure).
Or perhaps you are implementing your own session state?
Then again - Mac IE is useless anyway so perhaps you are right. Please
accept my apologies if this is the case. You could always call
'Session.Abandon' on entering the login page to clear any previous sessions.
Chris.
"Pack Fan" <pa**@fan.com> wrote in message
news:vh************@corp.supernews.com...
> I've noticed that session variables will persist on Mac IE even after all > browser windows have been closed. One must quit the program to clear the > session variables. This presents a security risk for my session variable > based security scheme.
>
> Basically, the risk is that a user will login to my site, close the window > when done and allow someone else to come up to the machine, go back to my > site and be logged into the previous user's account.
>
> Anyone know how to make session variables disappear when a window closes? > Any other ideas? Am I going to have to redesign my whole security scheme? >
> Any suggestions are appreciated.
>
> Dave
>
>
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: P. Glassel |
last post by:
I'm having problems getting session timeouts to change
programmaticlaly under IIS6.0. This is unchanged code
that ran as expected under IIS5.0.
Anyone else run into this problem?
Thx.
|
by: Wayne |
last post by:
Hi,
I'm new to .NET and have a question about the use of static variables vs.
session variables in a web form in C#.
Instead of using a session variable to hold a string to persist during...
|
by: Igor |
last post by:
Is it possible to point current context's session to another active
session based on a SessionID?
|
by: Mark |
last post by:
Ok, I know that .net inherently does not share session data across asp.net
projects, but is there any decent work around to this.
We already have a big chunk of our application using the asp.net...
|
by: tshad |
last post by:
I have been using the default session state (InProc) and have found that I
have been loosing my information after a period of time (normally 20
minutes).
Is there anyway to find out how much...
|
by: McGeeky |
last post by:
Is there a way to get a user control to remember its state across pages? I
have a standard page layout I use with a header and footer as user controls.
Each page uses the same layout by means of...
|
by: Sean |
last post by:
Problem with sessions
I have created an application without concern for sessions. As it turns out
I think that might be my undoing.
What I have:
I have an online quiz.
I don’t need to know...
|
by: BillE |
last post by:
When a user opens a new IE browser window using File-New-Window the
integrity of an application which relies on session state is COMPLETELY
undermined. Anyone who overlooks the fact that...
|
by: BillE |
last post by:
Some ASP.NET applications use Session Variables extensively to maintain
state.
These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.
This is because if a user...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
| |
