IE8 Idiotic Session handling

As you may be aware Internet Explorer 8 will share session among its different instances (even if you start new instance by clicking IE Desktop icon). Why on Earth this was done is described in this article. The only way to start a new session is to use obscure File -> New Session option in menu, interesting choice, considering that in IE8 menu is hidden by default.

But this is not the end. Quoting the article:

Relying on closing the window to clear the session is not a recommended way to implement proper logoff for an application. Because this clearly will not work if there is another window that is sharing the session.

True, buy why, pray say, session isn’t cleared for one application if its window closed, but another window remains open, pointing to a completely different application, on different server in different DOMAIN?!

Do try this:

  1. Login to any app that that requires user login.
  2. Open a new browser, and point it anywhere to a completely unrelated link.
  3. Close original app window from Step 1.
  4. Open new browser window and go URL of app from Step 1.
  5. Surprise, surprise, you’re still logged on.

Also, aren’t  they aware that 99.9% of all users will simple close browser window instad of going thru logout process even if it takes only one click? And in many scenarious, including one above user will stay logged in.

2 replies on “IE8 Idiotic Session handling”

  1. So what? that is how it should be. Your session still exists because you never closed the application. You opened the second browser prior to closing the first and then closed the first. Why would you expect the session to be forgotten? By your expectations, every new tab or new window would not be logged in.

  2. I’d expect, logically, when all browser windows pointing to one application are closed – that application session should cease to exist. Why should browser remember my credentials to EBay if I have Google open in another window? I don’t care what is happening under the hood, and this is a correct way to behave from the developer point of view. From user point of view this is a security risk.

Leave a Reply

Your email address will not be published. Required fields are marked *