BUG: FIX: Windows Opened by Script Lose Authentication or Session

ID: Q196383

The information in this article applies to:
  • Microsoft Internet Explorer (Programming) versions 4.0, 4.01, 4.01 SP1, 4.01 SP2, 5.0dp1

SYMPTOMS

When windows are opened from script in an HTML page using window.open or ShowModalDialog, Internet Explorer responds by prompting users to enter their username and password every time a new window is created. This happens even though the user already entered a correct username and password and successfully authenticated with the Web server.

New windows may also lose Web server session information, creating a new session or reusing an older, incorrect session from a separate Internet Explorer instance.

Also, if the new window contains a Java applet that accesses static information from a class, it may not be able to share that information with an applet in another window.

These symptoms do not appear if the Windows Desktop Update is installed and the browser is not set to "Browse In New Process."


CAUSE

When asked to create new windows through script, Internet Explorer might create the window in the wrong Internet Explorer process. Because authentication credentials and the temporary cookies used for session identification are cached per process, new windows need to re-authenticate and start a new session if they don't open in the same process as their opening window.

This behavior can appear random; the determined process for new windows is dependent on several variables, including timing and browser configuration.


RESOLUTION

At this time, there is no recommended workaround.

Disabling the "Browse In New Process" browser setting in the Advanced tab of the Internet Options will alleviate most of the symptoms described in this article.

However, Web servers should avoid relying on this as a solution. Web sites that expect users to change browser settings will have a negative user experience, particularly when other sites require a different value for the same settings. Users in corporate environments may not even have control over this setting. Furthermore, disabling "browse in new process" can affect the stability of the system shell and some users may need to use "Browse In New Process" when they are working with pages that contain a lot of Active Content.

Note that all session-managed pages should be set to expire immediately. Some session inconsistencies can result when pages are pulled from the cache rather than from the Web server.

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Internet Explorer service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp
The English version of this fix should have the following file attributes or later:

   Date      Time   Version         Size       File name    Platform
   ------------------------------------------------------------------

   10-13-98  4:37p  4.72.3510.1301  2,171,664  SHDOCVW.DLL  (NT)
   10-13-98  3:16p  4.72.3510.1301  2,172,176  SHDOCVW.DLL  (Win9x)

NOTE: This fix corrects only the behavior of "window.open". Dialog boxes created with the "showModalDialog" method still may experience the problem discussed in this article.


STATUS

Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article. This bug was corrected in Microsoft Internet Explorer 5.


MORE INFORMATION

Steps to Reproduce Behavior

  1. Create the following Active Server Pages (ASP) page on an Internet Information Server machine, version 3.0 or later, in a scripts directory: 
    

      <%@ LANGUAGE="VBSCRIPT" %>
      <HTML><HEAD><TITLE>Test for Session ID</TITLE></HEAD>
      <BODY>
      ASP SESSION ID:
      <%= Session.SessionID %>
      <P>
      <FORM><INPUT TYPE=BUTTON ID=PushME onclick="return openwindow();"
             VALUE="WindowOpen"></FORM>
      <SCRIPT>

      function openwindow()
      {
         window.open("test.asp");
      }
      </SCRIPT>
      </BODY></HTML>


  2. Verify that the "Browse In New Process" setting is selected in Internet Explorer on the client machine. This setting is in the Browser Settings section in the Advanced tab of the Internet Options dialog box.


  3. On the client machine, launch exactly one Internet Explorer instance. Navigate to the ASP page created in step 1. Click the "WindowOpen" button to execute window.open and create a new window.

    Note that the ASP Session ID matches in both child and parent window.


  4. Create a new Internet Explorer instance by invoking Internet Explorer from the Start menu or Desktop icon. Again, navigate to the ASP page created in step 1. Click the "WindowOpen" button.

    Note that the ASP Session ID does not match in both child and parent window of the new process. In some cases, this may be the session ID of the first pair of Internet Explorer windows.



REFERENCES

Similar symptoms can occur when working with Office documents or other Active Document servers in a Web environment.

For additional information, please see the following article(s) in the Microsoft Knowledge Base:

Q185978 BUG: Double GET and Cookies Lost with Word or Excel

© Microsoft Corporation 1999, All Rights Reserved.
Contributions by Jason Strayer, Microsoft Corporation

Additional query words:

Keywords : kbnokeyword kbIE400 kbIE401 kbIE401sp1 kbIE500fix kbIEdp1
Version : WINDOWS:4.0,4.01,4.01 SP1,4.01 SP2,5.0dp1
Platform : WINDOWS
Issue type : kbbug


Last Reviewed: November 17, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.