Session Ends with Window.Open() Call

J

Justin Beckwith

Hi all,
I have a very basic ASP application in which a user is authenticated,
a flag is set in a session variable, and a new window is opened. The
file opened exists in the same application directory as the file which
sets the session flag. After calling the window.open() method in
javascript to open my new file, the session id changes. This is very
very bad. After a week of scouring the groups, I have noticed a ton
of other people having similar problems, seemingly a remnant of the
"Browse in process" errors, however; microsoft says the problem is
resolved by upgrading to IE 5.5. Well, I have IE 6.0.28, and the
problem persists.

Has there been any resolution for this bug in internet explorer? If
there isn't a resolution yet, what types of SECURE workarounds are
available? How am I expected to use the session feature of ASP if it
doesn't work across browser windows?
 
D

Dave Anderson

Justin Beckwith said:
I have a very basic ASP application in which a user is authenticated,
a flag is set in a session variable, and a new window is opened. The
file opened exists in the same application directory as the file which
sets the session flag. After calling the window.open() method in
javascript to open my new file, the session id changes. This is very
very bad. After a week of scouring the groups, I have noticed a ton
of other people having similar problems, seemingly a remnant of the
"Browse in process" errors, however; microsoft says the problem is
resolved by upgrading to IE 5.5. Well, I have IE 6.0.28, and the
problem persists.

Has there been any resolution for this bug in internet explorer? If
there isn't a resolution yet, what types of SECURE workarounds are
available? How am I expected to use the session feature of ASP if it
doesn't work across browser windows?

Justin -

We first observed this problem several months ago, and have not yet found a
solution. FWIW, it seems to be an IE/IIS-only "feature". The session loss
does not occur with other browsers, and as far as I can tell, new sessions
are not spawned on non-IIS web servers.

In the course of my investigation into the problem, I was advised that many
sites resolved the problem by adding P3P policies. As these policies can be
held legally binding, my organization has been slow to move on the issue,
leaving me unable to confirm whether this would resolve the problem for us.

There is a reliable solution -- normal cookies work as suspected. If you
implement your own session management system, you can achieve the kind of
behavior you desire. This is, of course, more work, and more or less limits
you to primitive data types in session variables, but it is considerably
more predictable, compatible, and scalable.


--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,479
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top