Hi all,

We are experiencing the following problem with the latest versions of IE and FF in regards to sessions. If anyone has encountered these problems before, any insight would be valuable.

In FF: An ongoing problem where sessions are saved across multiple tabs and windows in the same machine. This means that users that are logged in to one of our portals can open a new tab or window and be logged in here.

In IE7: Similarly, but different windows use different session data. However tabs are the same as FF.

In IE8: Ok, something really strange is happening here. Session data is saved on a domain basis for each window, so a new window behaves as a new tab would if it is in the same domain. On a different domain, different windows have different sessions, so the user is not automatically logged in.

These problems are mostly frustrating for the development team trying to debug across multiple portals. But we are starting to wonder if this is a security issue, and how we can work around it. Is this just a flaw in these browsers that web developers must accept, or has anyone come up with a suitable workaround for them? As I said before, your input will be appreciated.

Thanks in advance,
darkagn :)

In all browsers that's how it is supposed to work. Sessions are saved to cookies which either expire after a certain amount of time or after a user closes their browser. There would be absolutely no way to tell the difference between them opening a new tab or just refreshing the page so you're effectively SOL

commented: Fast, informed and helpful response +4

Hi ShawnCPlus,

Thanks for the super-fast response! That's what we were thinking, but I thought I would just post and get some outside opinions just in case.

Thanks again,

I am really new here and a fairly new developer, but I can offer one suggestion.

Try encrypting a key (whatever you use to determine the user is logged in - for instance username or login id) and passing it in the query string of the link. The landing page on the new site then gets the encrypted value from the query string, decrypts it, and performs any validation required for login.

Hope this helps.