Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IE11 does not send session cookie when a link targeting a new tab is clicked (on first request)

I am having some trouble holding onto session when opening an initial new tab (target _blank) from IE11.

When I close all instances of IE11 and then open a fresh browser and navigate to the test webpage (default.aspx) the page stores a value in session and displays the session ID on the page. If I refresh the page the session ID stays the same. The page has a link to itself (default.aspx) with a target of _blank. If I click this link a new tab is opened, but the session ID is different. If I then refresh the original window the session ID now matches the new window.

<%@ Page Language="C#" AutoEventWireup="true" Inherits="System.Web.UI.Page" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
<% Session["StoredValue"]="Test"; %>

<div>SessionID: <%=Session.SessionID%></div>

<a href="/default.aspx" target="_blank">New Window</a>
<a href="http://www.google.com" target="_blank">3rd Party Window</a>

</body>
</html>

It appears this problem only occurs for the first window on the same domain opened in a new tab (I have verified the problem with both target="_blank" and by holding CTRL while clicking the link).

  • When I watch the cookie traffic with Fiddler I can see that the session cookie is sent normally in the initial request from default.aspx. When I click the link to open the page in a new tab the session cookie is not being sent in the request headers.
  • If I restart the browser, go to the test page, open a new tab manually and paste the link destination into it the cookie is sent correctly in the request headers and the session from the new tab matches the original tab as expected.
  • If I restart the browser, go to the test page, open google from a link targeting _blank in the test page, and then click the link opening the test page in a new tab the cookie is also sent correctly in the request headers and the session from the new window matches the original window as expected.

I believe this to be a client side issue but the site is running from Windows Server Standard 2008 R2 SP 1 in a 4.0 Integrated website with .NET 4.51 installed (also tried with only 4.5 installed).

The client is Windows 7 64-bit running IE11 (11.0.9600.16476). I have verified the problem on other machines running Windows 7 from IE11 and confirmed that it is not a problem in IE10 from Windows 8 in desktop mode. Everything works as expected in Chrome and Firefox.

I have verified the problem persists even if I:

  • Move security from Medium High to Medium
  • Disable Protected Mode
  • Change privacy to Accept all Cookies
  • Add the site to either the Local Intranet or Trusted Sites zone website list
  • Set a P3P compact privacy policy in the response headers stating no information is collected or used.
  • Set a P3P compact privacy policy in the response headers that would typically be accepted to allow 3rd party cookies within an iframe in past versions of IE.
  • Change the website ASP.NET session state settings to cookieless="UseCookies" or "false" or remove the attribute altogether (ASP.NET State Server).

Any ideas? Has anyone else seen this issue or similar?

like image 208
user3179118 Avatar asked Jan 09 '14 21:01

user3179118


People also ask

Is session dependent on cookie?

Sessions are cookies dependent, whereas Cookies are not dependent on Session. The session ends when the user closes the browser or logout from the application, whereas Cookies expire at the set time. A session can store as much data as a user want, whereas Cookies have a limited size of 4KB.

Is session independent of cookies by default?

By default, SessionID values are stored in a cookie. However, you can also configure the application to store the SessionID value in the URL for a "cookieless" session. We are developing a web application that has three pages.

How session and cookies work together?

Session cookies are cookies that last for a session. A session starts when you launch a website or web app and ends when you leave the website or close your browser window. Session cookies contain information that is stored in a temporary memory location which is deleted after the session ends.


2 Answers

This is an active bug according to microsoft. There is apparently no server-side way to fix this.

Link to bug report

like image 187
Mark Pearson Avatar answered Nov 20 '22 17:11

Mark Pearson


Not a solution, but a clue: We noticed similar behavior and tracked it down to requests to root/browserconfig.xml causing user to become unauthenticated. Server sent a new session cookie because Windows was not sending the existing one. Subsequent requests then sent the new session cookie value. We changed our server to look for this request and not set response cookies.

like image 28
James Avatar answered Nov 20 '22 18:11

James