On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

I haven't been able to figure out how to do so either. This is a huge
problem, and it used to exist back in IE4 as well! It made such good
sense to have the session shared between tabs and new windows
generated from a running IE instance, with new IE processes getting a
new session. Argh, this is a huge setback in functionality.

On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

Steve-

Looks like MS broke this expectation in IE8 (vs how it worked in
IE5,6,7) when they implemented the InPrivate Browsing functionality.
From what I gather, you should get a similar behaviour as you had come
to rely on when you launch an IE8 window with InPrivate Browsing
(Tools > InPrivate Browsing). You can also create a shortcut to
always launch in this mode by passing in the -private option to
iexplore.exe.

On Mar 25, 3:47*pm, Ace <jerah...******.com> wrote:
> On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
>
>
>
>
>
> > Hi,
>
> > We've got a big problem with IE 8.
>
> > With IE 7 you could launch different browser sessions and login to a web
> > site with different ID's. Each browser window would have it's own session
> > cookie. Each tab would share the session cookie - which is exactly how it
> > should intuitively work.
>
> > If you do this with IE 8 then there seems to be only ever one session. No
> > matter how many browsers you open you get the same session and so you can
> > login as only one user at a time.
>
> > This is a problem for us with our own application, but it is also a problem
> > with all web sites and we have reproduced it with Ebay for example.
>
> > I haven't been able to find any settings in the UI to disable this.
>
> > Best regards
>
> > Steve
>
> I haven't been able to figure out how to do so either. *This is a huge
> problem, and it used to exist back in IE4 as well! *It made such good
> sense to have the session shared between tabs and new windows
> generated from a running IE instance, with new IE processes getting a
> new session. *Argh, this is a huge setback in functionality.- Hide quoted text -
>
> - Show quoted text -

I think that even sharing a session between tabs is a big problem and
it doesn't make sense to me, not to mention that it causes a major
security problem.

For example you can have two tabs, one is secure and one is unsecure,
then close the secure one, and you won't even know that you are still
logged in (clicking a bookmark on the desktop will autmatically log
you in... or somebody else in...)

Another example is XS-Request-Forgery - this session between tabs
thing makes it much easier for the attackers (you just need to open
the email and the secure site in the same browser and click on a link
in the mail...)

Now with IE8 it's real HELL

I think I'm gonna contact microsoft about this, not to mention the
other bugs in IE8 (such as ignoring the no-cache headers which is
another security problem)

On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

I haven't been able to figure out how to do so either. This is a huge
problem, and it used to exist back in IE4 as well! It made such good
sense to have the session shared between tabs and new windows
generated from a running IE instance, with new IE processes getting a
new session. Argh, this is a huge setback in functionality.

On Mar 26, 3:15*am, EricLaw <bay...******.com> wrote:
> <<not to mention the other bugs in IE8 (such as ignoring the no-cache
> headers which is another security problem) >>
>
> IE8 does not "ignore" no-cache headers. *As specified in RFC2616,
> "Cache-Control: no-cache" is simply a directive to the client that it
> should not reuse the cached-entry without revalidation. *Internet
> Explorer supports this directive. *(Notably, this directive is
> intended to have no bearing whatsoever on whether or not the browser
> stores the content in its cache).
>
> To learn more about caching, please seewww.enhanceie.com/redir/?id=httpperf
>
> Eric Lawrence
> Program Manager
> Internet Explorer Security
>
> On Mar 25, 1:50*pm, Cesee <cesar.mar...******.com> wrote:
>
>
>
> > On Mar 25, 3:47*pm, Ace <jerah...******.com> wrote:
>
> > > On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
>
> > > > Hi,
>
> > > > We've got a big problem with IE 8.
>
> > > > With IE 7 you could launch different browser sessions and login to a web
> > > > site with different ID's. Each browser window would have it's ownsession
> > > > cookie. Each tab would share thesessioncookie - which is exactly how it
> > > > should intuitively work.
>
> > > > If you do this with IE 8 then there seems to be only ever onesession. No
> > > > matter how many browsers you open you get the samesessionand so youcan
> > > > login as only one user at a time.
>
> > > > This is a problem for us with our own application, but it is also aproblem
> > > > with all web sites and we have reproduced it with Ebay for example.
>
> > > > I haven't been able to find any settings in the UI to disable this.
>
> > > > Best regards
>
> > > > Steve
>
> > > I haven't been able to figure out how to do so either. *This is a huge
> > > problem, and it used to exist back in IE4 as well! *It made such good
> > > sense to have thesessionshared between tabs and new windows
> > > generated from a running IE instance, with new IE processes getting a
> > > newsession. *Argh, this is a huge setback in functionality.- Hide quoted text -
>
> > > - Show quoted text -
>
> > I think that even sharing asessionbetween tabs is a big problem and
> > it doesn't make sense to me, not to mention that it causes a major
> > security problem.
>
> > For example you can have two tabs, one is secure and one is unsecure,
> > then close the secure one, and you won't even know that you are still
> > logged in (clicking a bookmark on the desktop will autmatically log
> > you in... or somebody else in...)
>
> > Another example is XS-Request-Forgery - thissessionbetween tabs
> > thing makes it much easier for the attackers (you just need to open
> > the email and the secure site in the same browser and click on a link
> > in the mail...)
>
> > Now with IE8 it's real HELL
>
> > I think I'm gonna contact microsoft about this, not to mention the
> > other bugs in IE8 (such as ignoring the no-cache headers which is
> > another security problem)- Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

Maybe it doesn't ignore the headers, but I do want to direct the
client not to save a file in its cache.
The code worked with any other browser I know (Ie6,Ie7,ff,chrome...)
and the same code stopped working in ie8. You cannot tell me that this
is not a bug (somewhere, even in my code and maybe i need to add the
no-cache, no-store, private manually).

The thing is, sensitive data is now stored on the clients who
installed ie8 without them knowing it, and I and others have to update
our software right away.

On Mar 26, 3:11*am, EricLaw <bay...******.com> wrote:
> This behavior is by-design for IE8. *We elected to makesession
> handling more consistent. *Previously, some entry points would create
> a newsession(e.g. clicking a desktop icon) while others did not
> (e.g. File > New Window).
>
> There's a little test page that makes this easy to demo here:http://www.enhanceie.com/test/sessions/
>
> Now in IE8, new sessions are created explicitly, by clicking File >
> NewSession, or by starting iexplore.exe with the -nomerge command
> line parameter.
>
> I'll be putting up a post on this topic on the IEBlog (blogs.msdn.com/
> ie) shortly.
>
> Thanks,
>
> Eric Lawrence
> Security Program Manager
> Internet Explorer
>
> On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
>
>
>
> > Hi,
>
> > We've got a big problem with IE 8.
>
> > With IE 7 you could launch different browser sessions and login to a web
> > site with different ID's. Each browser window would have it's ownsession
> > cookie. Each tab would share thesessioncookie - which is exactly how it
> > should intuitively work.
>
> > If you do this with IE 8 then there seems to be only ever onesession. No
> > matter how many browsers you open you get the samesessionand so you can
> > login as only one user at a time.
>
> > This is a problem for us with our own application, but it is also a problem
> > with all web sites and we have reproduced it with Ebay for example.
>
> > I haven't been able to find any settings in the UI to disable this.
>
> > Best regards
>
> > Steve- Hide quoted text -
>
> - Show quoted text -

This means that you cannot install IE8 on public computers (at least
with the default settings).

Now attackers can roam libraries and try to access bank accounts, how
many of us don't just close the browser window ?!!

Take this secenario:
Somebody goes into the library opens IE8, checks the news, opens
another IE8, logs into his bank account and then closes the bank
account window and leaves the news window open.
Another person opens a NEW WINDOW, uses the link to the bank and... he
finds that he is logged in automatically...
Like I said, I consider this a huge security issue and I too really
hope you will reconsider this.

I had no option but to instruct my customers which are big
organizations with a large number of employees that each can check
their payslips online, not to install IE8 on public stations. (this
also can happen with tabs in ie7, but the user usually closes the
whole window and not only the tab)

On Mar 26, 2:20*pm, Cesee <cesar.mar...******.com> wrote:
> On Mar 26, 3:11*am, EricLaw <bay...******.com> wrote:
>
>
>
>
>
> > This behavior is by-design for IE8. *We elected to makesession
> > handling more consistent. *Previously, some entry points would create
> > a newsession(e.g. clicking a desktop icon) while others did not
> > (e.g. File > New Window).
>
> > There's a little test page that makes this easy to demo here:http://www..enhanceie.com/test/sessions/
>
> > Now in IE8, new sessions are created explicitly, by clicking File >
> > NewSession, or by starting iexplore.exe with the -nomerge command
> > line parameter.
>
> > I'll be putting up a post on this topic on the IEBlog (blogs.msdn.com/
> > ie) shortly.
>
> > Thanks,
>
> > Eric Lawrence
> > Security Program Manager
> > Internet Explorer
>
> > On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
>
> > > Hi,
>
> > > We've got a big problem with IE 8.
>
> > > With IE 7 you could launch different browser sessions and login to a web
> > > site with different ID's. Each browser window would have it's ownsession
> > > cookie. Each tab would share thesessioncookie - which is exactly how it
> > > should intuitively work.
>
> > > If you do this with IE 8 then there seems to be only ever onesession.No
> > > matter how many browsers you open you get the samesessionand so you can
> > > login as only one user at a time.
>
> > > This is a problem for us with our own application, but it is also a problem
> > > with all web sites and we have reproduced it with Ebay for example.
>
> > > I haven't been able to find any settings in the UI to disable this.
>
> > > Best regards
>
> > > Steve- Hide quoted text -
>
> > - Show quoted text -
>
> This means that you cannot install IE8 on public computers (at least
> with the default settings).
>
> Now attackers can roam libraries and try to access bank accounts, how
> many of us don't just close the browser window ?!!
>
> Take this secenario:
> Somebody goes into the library opens IE8, checks the news, opens
> another IE8, logs into his bank account and then closes the bank
> account window and leaves the news window open.
> Another person opens a NEW WINDOW, uses the link to the bank and... he
> finds that he is logged in automatically...
> Like I said, I consider this a huge security issue and I too really
> hope you will reconsider this.
>
> I had no option but to instruct my customers which are big
> organizations with a large number of employees that each can check
> their payslips online, not to install IE8 on public stations. (this
> also can happen with tabs in ie7, but the user usually closes the
> whole window and not only the tab)- Hide quoted text -
>
> - Show quoted text -

what I meant is that it makes the attackers jobs easier, and even non-
attackers can access other accounts by accident more often now...

Whoa! BIG problem. I am able to reproduce this. And it's true even if,
before you open the new window, you close the original browser that started
the session! GIANT security problem here. There are a lot of great things
about IE8, but man... there are some really horrible things too!

"Steve H" wrote:

> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

Steve-

Looks like MS broke this expectation in IE8 (vs how it worked in
IE5,6,7) when they implemented the InPrivate Browsing functionality.
From what I gather, you should get a similar behaviour as you had come
to rely on when you launch an IE8 window with InPrivate Browsing
(Tools > InPrivate Browsing). You can also create a shortcut to
always launch in this mode by passing in the -private option to
iexplore.exe.

FYI: I just also confirmed it with Bank of America. Log in, copy the URL
from the welcome page, close the browser, open a new browser, paste the URL,
poof, you're logged in. The URL from the BofA welcome page is standard, so
you could just try popping that into web browsers out in the world (internet
cafes, etc.) and eventually you'll be logged into someone's bank account.
This is unbelievably bad.

"Steve H" wrote:

> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

On Mar 25, 3:47*pm, Ace <jerah...******.com> wrote:
> On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
>
>
>
>
>
> > Hi,
>
> > We've got a big problem with IE 8.
>
> > With IE 7 you could launch different browser sessions and login to a web
> > site with different ID's. Each browser window would have it's own session
> > cookie. Each tab would share the session cookie - which is exactly how it
> > should intuitively work.
>
> > If you do this with IE 8 then there seems to be only ever one session. No
> > matter how many browsers you open you get the same session and so you can
> > login as only one user at a time.
>
> > This is a problem for us with our own application, but it is also a problem
> > with all web sites and we have reproduced it with Ebay for example.
>
> > I haven't been able to find any settings in the UI to disable this.
>
> > Best regards
>
> > Steve
>
> I haven't been able to figure out how to do so either. *This is a huge
> problem, and it used to exist back in IE4 as well! *It made such good
> sense to have the session shared between tabs and new windows
> generated from a running IE instance, with new IE processes getting a
> new session. *Argh, this is a huge setback in functionality.- Hide quoted text -
>
> - Show quoted text -

I think that even sharing a session between tabs is a big problem and
it doesn't make sense to me, not to mention that it causes a major
security problem.

For example you can have two tabs, one is secure and one is unsecure,
then close the secure one, and you won't even know that you are still
logged in (clicking a bookmark on the desktop will autmatically log
you in... or somebody else in...)

Another example is XS-Request-Forgery - this session between tabs
thing makes it much easier for the attackers (you just need to open
the email and the secure site in the same browser and click on a link
in the mail...)

Now with IE8 it's real HELL

I think I'm gonna contact microsoft about this, not to mention the
other bugs in IE8 (such as ignoring the no-cache headers which is
another security problem)

On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

I haven't been able to figure out how to do so either. This is a huge
problem, and it used to exist back in IE4 as well! It made such good
sense to have the session shared between tabs and new windows
generated from a running IE instance, with new IE processes getting a
new session. Argh, this is a huge setback in functionality.

Please state your full Windows version (e.g., WinXP SP3; Vista SP1), Steve.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Steve H wrote:
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a
> problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.

This behavior is by-design for IE8. We elected to make session
handling more consistent. Previously, some entry points would create
a new session (e.g. clicking a desktop icon) while others did not
(e.g. File > New Window).

There's a little test page that makes this easy to demo here:
http://www.enhanceie.com/test/sessions/

Now in IE8, new sessions are created explicitly, by clicking File >
New Session, or by starting iexplore.exe with the -nomerge command
line parameter.

I'll be putting up a post on this topic on the IEBlog (blogs.msdn.com/
ie) shortly.

Thanks,

Eric Lawrence
Security Program Manager
Internet Explorer

On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

<<not to mention the other bugs in IE8 (such as ignoring the no-cache
headers which is another security problem) >>

IE8 does not "ignore" no-cache headers. As specified in RFC2616,
"Cache-Control: no-cache" is simply a directive to the client that it
should not reuse the cached-entry without revalidation. Internet
Explorer supports this directive. (Notably, this directive is
intended to have no bearing whatsoever on whether or not the browser
stores the content in its cache).

To learn more about caching, please see www.enhanceie.com/redir/?id=httpperf

Eric Lawrence
Program Manager
Internet Explorer Security

On Mar 25, 1:50*pm, Cesee <cesar.mar...******.com> wrote:
> On Mar 25, 3:47*pm, Ace <jerah...******.com> wrote:
>
>
>
>
>
> > On Mar 23, 5:06*am, Steve H <Ste...@discussions.microsoft.com> wrote:
>
> > > Hi,
>
> > > We've got a big problem with IE 8.
>
> > > With IE 7 you could launch different browser sessions and login to a web
> > > site with different ID's. Each browser window would have it's own session
> > > cookie. Each tab would share the session cookie - which is exactly how it
> > > should intuitively work.
>
> > > If you do this with IE 8 then there seems to be only ever one session.. No
> > > matter how many browsers you open you get the same session and so youcan
> > > login as only one user at a time.
>
> > > This is a problem for us with our own application, but it is also a problem
> > > with all web sites and we have reproduced it with Ebay for example.
>
> > > I haven't been able to find any settings in the UI to disable this.
>
> > > Best regards
>
> > > Steve
>
> > I haven't been able to figure out how to do so either. *This is a huge
> > problem, and it used to exist back in IE4 as well! *It made such good
> > sense to have the session shared between tabs and new windows
> > generated from a running IE instance, with new IE processes getting a
> > new session. *Argh, this is a huge setback in functionality.- Hide quoted text -
>
> > - Show quoted text -
>
> I think that even sharing a session between tabs is a big problem and
> it doesn't make sense to me, not to mention that it causes a major
> security problem.
>
> For example you can have two tabs, one is secure and one is unsecure,
> then close the secure one, and you won't even know that you are still
> logged in (clicking a bookmark on the desktop will autmatically log
> you in... or somebody else in...)
>
> Another example is XS-Request-Forgery - this session between tabs
> thing makes it much easier for the attackers (you just need to open
> the email and the secure site in the same browser and click on a link
> in the mail...)
>
> Now with IE8 it's real HELL
>
> I think I'm gonna contact microsoft about this, not to mention the
> other bugs in IE8 (such as ignoring the no-cache headers which is
> another security problem)- Hide quoted text -
>
> - Show quoted text -