BUG: FIX: Windows Opened by Script Lose Authentication or Session
ID: Q196383
|
The information in this article applies to:
-
Microsoft Internet Explorer (Programming) versions 4.0, 4.01, 4.01 SP1, 4.01 SP2, 5.0dp1
SYMPTOMS
When windows are opened from script in an HTML page using window.open or
ShowModalDialog, Internet Explorer responds by prompting users to enter
their username and password every time a new window is created. This
happens even though the user already entered a correct username and
password and successfully authenticated with the Web server.
New windows may also lose Web server session information, creating a new
session or reusing an older, incorrect session from a separate Internet
Explorer instance.
Also, if the new window contains a Java applet that accesses static information from a class, it may not be able to share that information with an applet in another window.
These symptoms do not appear if the Windows Desktop Update is installed and the browser is not set to "Browse In New Process."
CAUSE
When asked to create new windows through script, Internet Explorer might
create the window in the wrong Internet Explorer process. Because
authentication credentials and the temporary cookies used for session
identification are cached per process, new windows need to re-authenticate
and start a new session if they don't open in the same process as their
opening window.
This behavior can appear random; the determined process for new windows is
dependent on several variables, including timing and browser configuration.
RESOLUTION
At this time, there is no recommended workaround.
Disabling the "Browse In New Process" browser setting in the Advanced tab
of the Internet Options will alleviate most of the symptoms described in
this article.
However, Web servers should avoid relying on this as a solution. Web sites
that expect users to change browser settings will have a negative user
experience, particularly when other sites require a different value for the
same settings. Users in corporate environments may not even have control
over this setting. Furthermore, disabling "browse in new process" can
affect the stability of the system shell and some users may need to use
"Browse In New Process" when they are working with pages that contain a lot
of Active Content.
Note that all session-managed pages should be set to expire immediately.
Some session inconsistencies can result when pages are pulled from the
cache rather than from the Web server.
A supported fix that corrects this problem is now available from Microsoft, but
it has not been fully regression tested and should be applied only to systems
experiencing this specific problem. If you are not severely affected by this
specific problem, Microsoft recommends that you wait for the next Internet Explorer service pack
that contains this fix.
To resolve this problem immediately, contact Microsoft Product Support Services
to obtain the fix. For a complete list of Microsoft Product Support Services
phone numbers and information on support costs, please go to the following
address on the World Wide Web:
http://www.microsoft.com/support/supportnet/overview/overview.asp
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name Platform
------------------------------------------------------------------
10-13-98 4:37p 4.72.3510.1301 2,171,664 SHDOCVW.DLL (NT)
10-13-98 3:16p 4.72.3510.1301 2,172,176 SHDOCVW.DLL (Win9x)
NOTE: This fix corrects only the behavior of "window.open". Dialog boxes
created with the "showModalDialog" method still may experience the problem
discussed in this article.
STATUS
Microsoft has confirmed this to be a bug in the Microsoft products listed
at the beginning of this article. This bug was corrected in Microsoft Internet Explorer 5.
MORE INFORMATION
Steps to Reproduce Behavior
- Create the following Active Server Pages (ASP) page on an Internet
Information Server machine, version 3.0 or later, in a scripts directory:
<%@ LANGUAGE="VBSCRIPT" %>
<HTML><HEAD><TITLE>Test for Session ID</TITLE></HEAD>
<BODY>
ASP SESSION ID:
<%= Session.SessionID %>
<P>
<FORM><INPUT TYPE=BUTTON ID=PushME onclick="return openwindow();"
VALUE="WindowOpen"></FORM>
<SCRIPT>
function openwindow()
{
window.open("test.asp");
}
</SCRIPT>
</BODY></HTML>
- Verify that the "Browse In New Process" setting is selected in Internet Explorer on the client machine. This setting is in the Browser Settings section in the Advanced tab of the Internet Options dialog box.
- On the client machine, launch exactly one Internet Explorer instance. Navigate to the ASP page created in step 1. Click the "WindowOpen" button to execute window.open and create a new window.
Note that the ASP Session ID matches in both child and parent window.
- Create a new Internet Explorer instance by invoking Internet Explorer
from the Start menu or Desktop icon. Again, navigate to the ASP page created in step 1. Click the "WindowOpen" button.
Note that the ASP Session ID does not match in both child and parent
window of the new process. In some cases, this may be the session ID of
the first pair of Internet Explorer windows.
REFERENCES
Similar symptoms can occur when working with Office documents or other
Active Document servers in a Web environment.
For additional information, please see the following
article(s) in the Microsoft Knowledge Base:
Q185978 BUG: Double GET and Cookies Lost with Word or Excel
© Microsoft Corporation 1999, All Rights Reserved.
Contributions by Jason Strayer, Microsoft Corporation
Additional query words:
Keywords : kbnokeyword kbIE400 kbIE401 kbIE401sp1 kbIE500fix kbIEdp1
Version : WINDOWS:4.0,4.01,4.01 SP1,4.01 SP2,5.0dp1
Platform : WINDOWS
Issue type : kbbug