Session Variables Persist Across Window Close on Mac IE 4.5 and Greater

I've noticed that session variables will persist on Mac IE even after all
browser windows have been closed. One must quit the program to clear the
session variables. This presents a security risk for my session variable
based security scheme.

Basically, the risk is that a user will login to my site, close the window
when done and allow someone else to come up to the machine, go back to my
site and be logged into the previous user's account.

Anyone know how to make session variables disappear when a window closes?
Any other ideas? Am I going to have to redesign my whole security scheme?

Any suggestions are appreciated.

Dave

Manohar
Mon Jul 21 16:54:47 CDT 2003

Looks more of an issue with the IE version you are using on your machine.
Check support.microsoft.com to see if such an issue is already recognized,
and remedy if any.

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com


"Pack Fan" <pack@fan.com> wrote in message
news:vhoo4tq1anga5e@corp.supernews.com...
> I've noticed that session variables will persist on Mac IE even after all
> browser windows have been closed. One must quit the program to clear the
> session variables. This presents a security risk for my session variable
> based security scheme.
>
> Basically, the risk is that a user will login to my site, close the window
> when done and allow someone else to come up to the machine, go back to my
> site and be logged into the previous user's account.
>
> Anyone know how to make session variables disappear when a window closes?
> Any other ideas? Am I going to have to redesign my whole security scheme?
>
> Any suggestions are appreciated.
>
> Dave
>
>

Pack
Mon Jul 21 20:11:26 CDT 2003

I've been unable to find anything regarding this on support.microsoft.com. I
can't find anything of substance on IE for the Mac.

"Manohar Kamath [MVP]" <mkamath@TAKETHISOUTkamath.com> wrote in message
news:ewZPxK9TDHA.2204@TK2MSFTNGP12.phx.gbl...
> Looks more of an issue with the IE version you are using on your machine.
> Check support.microsoft.com to see if such an issue is already recognized,
> and remedy if any.
>
> --
> Manohar Kamath
> Editor, .netBooks
> www.dotnetbooks.com
>
>
> "Pack Fan" <pack@fan.com> wrote in message
> news:vhoo4tq1anga5e@corp.supernews.com...
> > I've noticed that session variables will persist on Mac IE even after
all
> > browser windows have been closed. One must quit the program to clear the
> > session variables. This presents a security risk for my session variable
> > based security scheme.
> >
> > Basically, the risk is that a user will login to my site, close the
window
> > when done and allow someone else to come up to the machine, go back to
my
> > site and be logged into the previous user's account.
> >
> > Anyone know how to make session variables disappear when a window
closes?
> > Any other ideas? Am I going to have to redesign my whole security
scheme?
> >
> > Any suggestions are appreciated.
> >
> > Dave
> >
> >
>
>

Chris
Mon Jul 21 21:11:16 CDT 2003

If its an ASP site then use Global.asa to redirect to the login page if a
particluar session variable is not set -- once logged in then set it.
Of course this is all based on the understanding that session is not
persisted across windows on the same machine. Just tested it on W2K and the
session is not 'shared' across two windows.

Oh well - a warning should suffice to Mac users that multiple windows on the
same machine will have issues.

Chris.


"Pack Fan" <pack@fan.com> wrote in message
news:vhp57p4ap4cpc1@corp.supernews.com...
> I'm not implementing session variables myself.
>
> I know you're right on the session vars being private to HTTP sessions on
> Windows. But it just isn't the case with IE on the Mac. I can open one
> window, login and then open a second which will also be logged in. Log out
> of the first one, refresh second, it's logged out, too.
>
> I'd call Session.Abandon on login, but it won't stop people from skipping
> the login page and going straight to "protected" pages.
>
> Don't know what to do.
>
> "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...
> > Session variables are private to a HTTP session - a new browser window
> will
> > *not* get access to the previous session variables since the cookie that
> is
> > used to maintain session state is cleared when the browser window opens
> (may
> > also be cleared when the window closes - not sure).
> >
> > Or perhaps you are implementing your own session state?
> >
> > Then again - Mac IE is useless anyway so perhaps you are right. Please
> > accept my apologies if this is the case. You could always call
> > 'Session.Abandon' on entering the login page to clear any previous
> sessions.
> >
> > Chris.
> >
> > "Pack Fan" <pack@fan.com> wrote in message
> > news:vhoo4tq1anga5e@corp.supernews.com...
> > > I've noticed that session variables will persist on Mac IE even after
> all
> > > browser windows have been closed. One must quit the program to clear
the
> > > session variables. This presents a security risk for my session
variable
> > > based security scheme.
> > >
> > > Basically, the risk is that a user will login to my site, close the
> window
> > > when done and allow someone else to come up to the machine, go back to
> my
> > > site and be logged into the previous user's account.
> > >
> > > Anyone know how to make session variables disappear when a window
> closes?
> > > Any other ideas? Am I going to have to redesign my whole security
> scheme?
> > >
> > > Any suggestions are appreciated.
> > >
> > > Dave
> > >
> > >
> >
> >
>
>

Mark
Tue Jul 22 10:52:04 CDT 2003

If they close all the IE windows and re-open IE are they still logged on?

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
mschupp@ielearning.com
http://www.ielearning.com
714.637.9480 x17


"Pack Fan" <pack@fan.com> wrote in message
news:vhp57p4ap4cpc1@corp.supernews.com...
> I'm not implementing session variables myself.
>
> I know you're right on the session vars being private to HTTP sessions on
> Windows. But it just isn't the case with IE on the Mac. I can open one
> window, login and then open a second which will also be logged in. Log out
> of the first one, refresh second, it's logged out, too.
>
> I'd call Session.Abandon on login, but it won't stop people from skipping
> the login page and going straight to "protected" pages.
>
> Don't know what to do.
>
> "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...
> > Session variables are private to a HTTP session - a new browser window
> will
> > *not* get access to the previous session variables since the cookie that
> is
> > used to maintain session state is cleared when the browser window opens
> (may
> > also be cleared when the window closes - not sure).
> >
> > Or perhaps you are implementing your own session state?
> >
> > Then again - Mac IE is useless anyway so perhaps you are right. Please
> > accept my apologies if this is the case. You could always call
> > 'Session.Abandon' on entering the login page to clear any previous
> sessions.
> >
> > Chris.
> >
> > "Pack Fan" <pack@fan.com> wrote in message
> > news:vhoo4tq1anga5e@corp.supernews.com...
> > > I've noticed that session variables will persist on Mac IE even after
> all
> > > browser windows have been closed. One must quit the program to clear
the
> > > session variables. This presents a security risk for my session
variable
> > > based security scheme.
> > >
> > > Basically, the risk is that a user will login to my site, close the
> window
> > > when done and allow someone else to come up to the machine, go back to
> my
> > > site and be logged into the previous user's account.
> > >
> > > Anyone know how to make session variables disappear when a window
> closes?
> > > Any other ideas? Am I going to have to redesign my whole security
> scheme?
> > >
> > > Any suggestions are appreciated.
> > >
> > > Dave
> > >
> > >
> >
> >
>
>

Pack
Tue Jul 22 21:04:02 CDT 2003

If you close all IE windows and re-open you'll still be logged in. You have
to either quit IE, explicitly log out on the site or let the session expire
to log out.

I assume there's no way to make session vars private to a single window on
Mac IE. At this point, all I can think to do is put up a warning.

"Mark Schupp" <mschupp@ielearning.com> wrote in message
news:u65KAhGUDHA.2008@TK2MSFTNGP11.phx.gbl...
> If they close all the IE windows and re-open IE are they still logged on?
>
> --
> Mark Schupp
> --
> Head of Development
> Integrity eLearning
> Online Learning Solutions Provider
> mschupp@ielearning.com
> http://www.ielearning.com
> 714.637.9480 x17
>
>
> "Pack Fan" <pack@fan.com> wrote in message
> news:vhp57p4ap4cpc1@corp.supernews.com...
> > I'm not implementing session variables myself.
> >
> > I know you're right on the session vars being private to HTTP sessions
on
> > Windows. But it just isn't the case with IE on the Mac. I can open one
> > window, login and then open a second which will also be logged in. Log
out
> > of the first one, refresh second, it's logged out, too.
> >
> > I'd call Session.Abandon on login, but it won't stop people from
skipping
> > the login page and going straight to "protected" pages.
> >
> > Don't know what to do.
> >
> > "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> > news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...
> > > Session variables are private to a HTTP session - a new browser window
> > will
> > > *not* get access to the previous session variables since the cookie
that
> > is
> > > used to maintain session state is cleared when the browser window
opens
> > (may
> > > also be cleared when the window closes - not sure).
> > >
> > > Or perhaps you are implementing your own session state?
> > >
> > > Then again - Mac IE is useless anyway so perhaps you are right. Please
> > > accept my apologies if this is the case. You could always call
> > > 'Session.Abandon' on entering the login page to clear any previous
> > sessions.
> > >
> > > Chris.
> > >
> > > "Pack Fan" <pack@fan.com> wrote in message
> > > news:vhoo4tq1anga5e@corp.supernews.com...
> > > > I've noticed that session variables will persist on Mac IE even
after
> > all
> > > > browser windows have been closed. One must quit the program to clear
> the
> > > > session variables. This presents a security risk for my session
> variable
> > > > based security scheme.
> > > >
> > > > Basically, the risk is that a user will login to my site, close the
> > window
> > > > when done and allow someone else to come up to the machine, go back
to
> > my
> > > > site and be logged into the previous user's account.
> > > >
> > > > Anyone know how to make session variables disappear when a window
> > closes?
> > > > Any other ideas? Am I going to have to redesign my whole security
> > scheme?
> > > >
> > > > Any suggestions are appreciated.
> > > >
> > > > Dave
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Mark
Wed Jul 23 10:30:33 CDT 2003

How can you still have to "quit IE" if you have closed all of its windows?

> I assume there's no way to make session vars private to a single window on
> Mac IE. At this point, all I can think to do is put up a warning.
Some people would call this a feature rather than a bug (having new windows
share the same session).
I am not familiar with IE for Mac but you might check for any settings in IE
named like "browse in new process".

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
mschupp@ielearning.com
http://www.ielearning.com
714.637.9480 x17


"Pack Fan" <pack@fan.com> wrote in message
news:vhrr18nddo4986@corp.supernews.com...
> If you close all IE windows and re-open you'll still be logged in. You
have
> to either quit IE, explicitly log out on the site or let the session
expire
> to log out.
>
> I assume there's no way to make session vars private to a single window on
> Mac IE. At this point, all I can think to do is put up a warning.
>
> "Mark Schupp" <mschupp@ielearning.com> wrote in message
> news:u65KAhGUDHA.2008@TK2MSFTNGP11.phx.gbl...
> > If they close all the IE windows and re-open IE are they still logged
on?
> >
> > --
> > Mark Schupp
> > --
> > Head of Development
> > Integrity eLearning
> > Online Learning Solutions Provider
> > mschupp@ielearning.com
> > http://www.ielearning.com
> > 714.637.9480 x17
> >
> >
> > "Pack Fan" <pack@fan.com> wrote in message
> > news:vhp57p4ap4cpc1@corp.supernews.com...
> > > I'm not implementing session variables myself.
> > >
> > > I know you're right on the session vars being private to HTTP sessions
> on
> > > Windows. But it just isn't the case with IE on the Mac. I can open one
> > > window, login and then open a second which will also be logged in. Log
> out
> > > of the first one, refresh second, it's logged out, too.
> > >
> > > I'd call Session.Abandon on login, but it won't stop people from
> skipping
> > > the login page and going straight to "protected" pages.
> > >
> > > Don't know what to do.
> > >
> > > "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> > > news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...
> > > > Session variables are private to a HTTP session - a new browser
window
> > > will
> > > > *not* get access to the previous session variables since the cookie
> that
> > > is
> > > > used to maintain session state is cleared when the browser window
> opens
> > > (may
> > > > also be cleared when the window closes - not sure).
> > > >
> > > > Or perhaps you are implementing your own session state?
> > > >
> > > > Then again - Mac IE is useless anyway so perhaps you are right.
Please
> > > > accept my apologies if this is the case. You could always call
> > > > 'Session.Abandon' on entering the login page to clear any previous
> > > sessions.
> > > >
> > > > Chris.
> > > >
> > > > "Pack Fan" <pack@fan.com> wrote in message
> > > > news:vhoo4tq1anga5e@corp.supernews.com...
> > > > > I've noticed that session variables will persist on Mac IE even
> after
> > > all
> > > > > browser windows have been closed. One must quit the program to
clear
> > the
> > > > > session variables. This presents a security risk for my session
> > variable
> > > > > based security scheme.
> > > > >
> > > > > Basically, the risk is that a user will login to my site, close
the
> > > window
> > > > > when done and allow someone else to come up to the machine, go
back
> to
> > > my
> > > > > site and be logged into the previous user's account.
> > > > >
> > > > > Anyone know how to make session variables disappear when a window
> > > closes?
> > > > > Any other ideas? Am I going to have to redesign my whole security
> > > scheme?
> > > > >
> > > > > Any suggestions are appreciated.
> > > > >
> > > > > Dave
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Pack
Wed Jul 23 22:27:05 CDT 2003

You haven't used a Mac, have you? :) It's considered very bad form, on the
Mac, to write an app that quits by closing a window. Since the menu bar
isn't tied to a window it's still there when you close a window. All windows
closed? Just go select file:new to open a new one.

"Mark Schupp" <mschupp@ielearning.com> wrote in message
news:eVr3o5SUDHA.1588@TK2MSFTNGP11.phx.gbl...
> How can you still have to "quit IE" if you have closed all of its windows?
>
> > I assume there's no way to make session vars private to a single window
on
> > Mac IE. At this point, all I can think to do is put up a warning.
> Some people would call this a feature rather than a bug (having new
windows
> share the same session).
> I am not familiar with IE for Mac but you might check for any settings in
IE
> named like "browse in new process".
>
> --
> Mark Schupp
> --
> Head of Development
> Integrity eLearning
> Online Learning Solutions Provider
> mschupp@ielearning.com
> http://www.ielearning.com
> 714.637.9480 x17
>
>
> "Pack Fan" <pack@fan.com> wrote in message
> news:vhrr18nddo4986@corp.supernews.com...
> > If you close all IE windows and re-open you'll still be logged in. You
> have
> > to either quit IE, explicitly log out on the site or let the session
> expire
> > to log out.
> >
> > I assume there's no way to make session vars private to a single window
on
> > Mac IE. At this point, all I can think to do is put up a warning.
> >
> > "Mark Schupp" <mschupp@ielearning.com> wrote in message
> > news:u65KAhGUDHA.2008@TK2MSFTNGP11.phx.gbl...
> > > If they close all the IE windows and re-open IE are they still logged
> on?
> > >
> > > --
> > > Mark Schupp
> > > --
> > > Head of Development
> > > Integrity eLearning
> > > Online Learning Solutions Provider
> > > mschupp@ielearning.com
> > > http://www.ielearning.com
> > > 714.637.9480 x17
> > >
> > >
> > > "Pack Fan" <pack@fan.com> wrote in message
> > > news:vhp57p4ap4cpc1@corp.supernews.com...
> > > > I'm not implementing session variables myself.
> > > >
> > > > I know you're right on the session vars being private to HTTP
sessions
> > on
> > > > Windows. But it just isn't the case with IE on the Mac. I can open
one
> > > > window, login and then open a second which will also be logged in.
Log
> > out
> > > > of the first one, refresh second, it's logged out, too.
> > > >
> > > > I'd call Session.Abandon on login, but it won't stop people from
> > skipping
> > > > the login page and going straight to "protected" pages.
> > > >
> > > > Don't know what to do.
> > > >
> > > > "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> > > > news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...
> > > > > Session variables are private to a HTTP session - a new browser
> window
> > > > will
> > > > > *not* get access to the previous session variables since the
cookie
> > that
> > > > is
> > > > > used to maintain session state is cleared when the browser window
> > opens
> > > > (may
> > > > > also be cleared when the window closes - not sure).
> > > > >
> > > > > Or perhaps you are implementing your own session state?
> > > > >
> > > > > Then again - Mac IE is useless anyway so perhaps you are right.
> Please
> > > > > accept my apologies if this is the case. You could always call
> > > > > 'Session.Abandon' on entering the login page to clear any previous
> > > > sessions.
> > > > >
> > > > > Chris.
> > > > >
> > > > > "Pack Fan" <pack@fan.com> wrote in message
> > > > > news:vhoo4tq1anga5e@corp.supernews.com...
> > > > > > I've noticed that session variables will persist on Mac IE even
> > after
> > > > all
> > > > > > browser windows have been closed. One must quit the program to
> clear
> > > the
> > > > > > session variables. This presents a security risk for my session
> > > variable
> > > > > > based security scheme.
> > > > > >
> > > > > > Basically, the risk is that a user will login to my site, close
> the
> > > > window
> > > > > > when done and allow someone else to come up to the machine, go
> back
> > to
> > > > my
> > > > > > site and be logged into the previous user's account.
> > > > > >
> > > > > > Anyone know how to make session variables disappear when a
window
> > > > closes?
> > > > > > Any other ideas? Am I going to have to redesign my whole
security
> > > > scheme?
> > > > > >
> > > > > > Any suggestions are appreciated.
> > > > > >
> > > > > > Dave
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Mark
Thu Jul 24 10:41:17 CDT 2003

Avoided MACs like the plague (still POed at Apple since I couldn't afford an
Apple II when I wanted one).
We did finally test our App against one last release. NS was a waste of
space, IE worked (sort of).

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
mschupp@ielearning.com
http://www.ielearning.com
714.637.9480 x17


"Pack Fan" <pack@fan.com> wrote in message
news:vhuko7lsi1i9ac@corp.supernews.com...
> You haven't used a Mac, have you? :) It's considered very bad form, on the
> Mac, to write an app that quits by closing a window. Since the menu bar
> isn't tied to a window it's still there when you close a window. All
windows
> closed? Just go select file:new to open a new one.
>
> "Mark Schupp" <mschupp@ielearning.com> wrote in message
> news:eVr3o5SUDHA.1588@TK2MSFTNGP11.phx.gbl...
> > How can you still have to "quit IE" if you have closed all of its
windows?
> >
> > > I assume there's no way to make session vars private to a single
window
> on
> > > Mac IE. At this point, all I can think to do is put up a warning.
> > Some people would call this a feature rather than a bug (having new
> windows
> > share the same session).
> > I am not familiar with IE for Mac but you might check for any settings
in
> IE
> > named like "browse in new process".
> >
> > --
> > Mark Schupp
> > --
> > Head of Development
> > Integrity eLearning
> > Online Learning Solutions Provider
> > mschupp@ielearning.com
> > http://www.ielearning.com
> > 714.637.9480 x17
> >
> >
> > "Pack Fan" <pack@fan.com> wrote in message
> > news:vhrr18nddo4986@corp.supernews.com...
> > > If you close all IE windows and re-open you'll still be logged in. You
> > have
> > > to either quit IE, explicitly log out on the site or let the session
> > expire
> > > to log out.
> > >
> > > I assume there's no way to make session vars private to a single
window
> on
> > > Mac IE. At this point, all I can think to do is put up a warning.
> > >
> > > "Mark Schupp" <mschupp@ielearning.com> wrote in message
> > > news:u65KAhGUDHA.2008@TK2MSFTNGP11.phx.gbl...
> > > > If they close all the IE windows and re-open IE are they still
logged
> > on?
> > > >
> > > > --
> > > > Mark Schupp
> > > > --
> > > > Head of Development
> > > > Integrity eLearning
> > > > Online Learning Solutions Provider
> > > > mschupp@ielearning.com
> > > > http://www.ielearning.com
> > > > 714.637.9480 x17
> > > >
> > > >
> > > > "Pack Fan" <pack@fan.com> wrote in message
> > > > news:vhp57p4ap4cpc1@corp.supernews.com...
> > > > > I'm not implementing session variables myself.
> > > > >
> > > > > I know you're right on the session vars being private to HTTP
> sessions
> > > on
> > > > > Windows. But it just isn't the case with IE on the Mac. I can open
> one
> > > > > window, login and then open a second which will also be logged in.
> Log
> > > out
> > > > > of the first one, refresh second, it's logged out, too.
> > > > >
> > > > > I'd call Session.Abandon on login, but it won't stop people from
> > > skipping
> > > > > the login page and going straight to "protected" pages.
> > > > >
> > > > > Don't know what to do.
> > > > >
> > > > > "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> > > > > news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...
> > > > > > Session variables are private to a HTTP session - a new browser
> > window
> > > > > will
> > > > > > *not* get access to the previous session variables since the
> cookie
> > > that
> > > > > is
> > > > > > used to maintain session state is cleared when the browser
window
> > > opens
> > > > > (may
> > > > > > also be cleared when the window closes - not sure).
> > > > > >
> > > > > > Or perhaps you are implementing your own session state?
> > > > > >
> > > > > > Then again - Mac IE is useless anyway so perhaps you are right.
> > Please
> > > > > > accept my apologies if this is the case. You could always call
> > > > > > 'Session.Abandon' on entering the login page to clear any
previous
> > > > > sessions.
> > > > > >
> > > > > > Chris.
> > > > > >
> > > > > > "Pack Fan" <pack@fan.com> wrote in message
> > > > > > news:vhoo4tq1anga5e@corp.supernews.com...
> > > > > > > I've noticed that session variables will persist on Mac IE
even
> > > after
> > > > > all
> > > > > > > browser windows have been closed. One must quit the program to
> > clear
> > > > the
> > > > > > > session variables. This presents a security risk for my
session
> > > > variable
> > > > > > > based security scheme.
> > > > > > >
> > > > > > > Basically, the risk is that a user will login to my site,
close
> > the
> > > > > window
> > > > > > > when done and allow someone else to come up to the machine, go
> > back
> > > to
> > > > > my
> > > > > > > site and be logged into the previous user's account.
> > > > > > >
> > > > > > > Anyone know how to make session variables disappear when a
> window
> > > > > closes?
> > > > > > > Any other ideas? Am I going to have to redesign my whole
> security
> > > > > scheme?
> > > > > > >
> > > > > > > Any suggestions are appreciated.
> > > > > > >
> > > > > > > Dave
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

GuidoAsh
Tue Jul 29 11:30:42 CDT 2003

Just to add my two cents. We are using IE 6.0 for Windows and we are
having the same problem. A user logs in to our Web application, which
stores information in the session variables. If they close the
browser without logging out of the application they can some times
open the browser again and it will skip the log in page because the
session information has been retained. One user even said that she
rebooted and it still happened, though I didn't see that.

The one time I did see it with my very own eyes, the user had another
IE Browser window open (to a different site). When I had her close
that other window, and try again, the Session information was deleted
and she was asked to log in again.

I'd love to hear if anyone else has run into this or has a solution.
Diane Y

"Mark Schupp" <mschupp@ielearning.com> wrote in message news:<u65KAhGUDHA.2008@TK2MSFTNGP11.phx.gbl>...
> If they close all the IE windows and re-open IE are they still logged on?
>
> --
> Mark Schupp
> --
> Head of Development
> Integrity eLearning
> Online Learning Solutions Provider
> mschupp@ielearning.com
> http://www.ielearning.com
> 714.637.9480 x17
>
>
> "Pack Fan" <pack@fan.com> wrote in message
> news:vhp57p4ap4cpc1@corp.supernews.com...
> > I'm not implementing session variables myself.
> >
> > I know you're right on the session vars being private to HTTP sessions on
> > Windows. But it just isn't the case with IE on the Mac. I can open one
> > window, login and then open a second which will also be logged in. Log out
> > of the first one, refresh second, it's logged out, too.
> >
> > I'd call Session.Abandon on login, but it won't stop people from skipping
> > the login page and going straight to "protected" pages.
> >
> > Don't know what to do.
> >
> > "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> > news:O5s0ZN9TDHA.2092@TK2MSFTNGP10.phx.gbl...
> > > Session variables are private to a HTTP session - a new browser window
> will
> > > *not* get access to the previous session variables since the cookie that
> is
> > > used to maintain session state is cleared when the browser window opens
> (may
> > > also be cleared when the window closes - not sure).
> > >
> > > Or perhaps you are implementing your own session state?
> > >
> > > Then again - Mac IE is useless anyway so perhaps you are right. Please
> > > accept my apologies if this is the case. You could always call
> > > 'Session.Abandon' on entering the login page to clear any previous
> sessions.
> > >
> > > Chris.
> > >
> > > "Pack Fan" <pack@fan.com> wrote in message
> > > news:vhoo4tq1anga5e@corp.supernews.com...
> > > > I've noticed that session variables will persist on Mac IE even after
> all
> > > > browser windows have been closed. One must quit the program to clear
> the
> > > > session variables. This presents a security risk for my session
> variable
> > > > based security scheme.
> > > >
> > > > Basically, the risk is that a user will login to my site, close the
> window
> > > > when done and allow someone else to come up to the machine, go back to
> my
> > > > site and be logged into the previous user's account.
> > > >
> > > > Anyone know how to make session variables disappear when a window
> closes?
> > > > Any other ideas? Am I going to have to redesign my whole security
> scheme?
> > > >
> > > > Any suggestions are appreciated.
> > > >
> > > > Dave
> > > >
> > > >
> > >
> > >
> >
> >