Session Ends with Window.Open() Call

[Justin Beckwith]

Hi all,
I have a very basic ASP application in which a user is authenticated,
a flag is set in a session variable, and a new window is opened. The
file opened exists in the same application directory as the file which
sets the session flag. After calling the window.open() method in
javascript to open my new file, the session id changes. This is very
very bad. After a week of scouring the groups, I have noticed a ton
of other people having similar problems, seemingly a remnant of the
"Browse in process" errors, however; microsoft says the problem is
resolved by upgrading to IE 5.5. Well, I have IE 6.0.28, and the
problem persists.

Has there been any resolution for this bug in internet explorer? If
there isn't a resolution yet, what types of SECURE workarounds are
available? How am I expected to use the session feature of ASP if it
doesn't work across browser windows?

[Dave Anderson]

"Justin Beckwith" wrote:

>
> I have a very basic ASP application in which a user is authenticated,
> a flag is set in a session variable, and a new window is opened. The
> file opened exists in the same application directory as the file which
> sets the session flag. After calling the window.open() method in
> javascript to open my new file, the session id changes. This is very
> very bad. After a week of scouring the groups, I have noticed a ton
> of other people having similar problems, seemingly a remnant of the
> "Browse in process" errors, however; microsoft says the problem is
> resolved by upgrading to IE 5.5. Well, I have IE 6.0.28, and the
> problem persists.
>
> Has there been any resolution for this bug in internet explorer? If
> there isn't a resolution yet, what types of SECURE workarounds are
> available? How am I expected to use the session feature of ASP if it
> doesn't work across browser windows?

Justin -

We first observed this problem several months ago, and have not yet found a
solution. FWIW, it seems to be an IE/IIS-only "feature". The session loss
does not occur with other browsers, and as far as I can tell, new sessions
are not spawned on non-IIS web servers.

In the course of my investigation into the problem, I was advised that many
sites resolved the problem by adding P3P policies. As these policies can be
held legally binding, my organization has been slow to move on the issue,
leaving me unable to confirm whether this would resolve the problem for us.

There is a reliable solution -- normal cookies work as suspected. If you
implement your own session management system, you can achieve the kind of
behavior you desire. This is, of course, more work, and more or less limits
you to primitive data types in session variables, but it is considerably
more predictable, compatible, and scalable.


--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.