IE 8 Release version is sharing session cookies across browsers

Hi,

We've got a big problem with IE 8.

With IE 7 you could launch different browser sessions and login to a web
site with different ID's. Each browser window would have it's own session
cookie. Each tab would share the session cookie - which is exactly how it
should intuitively work.

If you do this with IE 8 then there seems to be only ever one session. No
matter how many browsers you open you get the same session and so you can
login as only one user at a time.

This is a problem for us with our own application, but it is also a problem
with all web sites and we have reproduced it with Ebay for example.

I haven't been able to find any settings in the UI to disable this.

Best regards

Steve

Steve H wrote:

> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

If this is something you can reliably reproduce then maybe you should
tell Microsoft about it directly.

Comment: "Support for Internet Explorer 8 is available at no charge
until 31st December 2009."
MS page: http://preview.tinyurl.com/c4roap

Whoa! BIG problem. I am able to reproduce this. And it's true even if,
before you open the new window, you close the original browser that started
the session! GIANT security problem here. There are a lot of great things
about IE8, but man... there are some really horrible things too!

"Steve H" wrote:

> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

FYI: I just also confirmed it with Bank of America. Log in, copy the URL
from the welcome page, close the browser, open a new browser, paste the URL,
poof, you're logged in. The URL from the BofA welcome page is standard, so
you could just try popping that into web browsers out in the world (internet
cafes, etc.) and eventually you'll be logged into someone's bank account.
This is unbelievably bad.

"Steve H" wrote:

> Hi,
>
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.
>
> Best regards
>
> Steve

Please state your full Windows version (e.g., WinXP SP3; Vista SP1), Steve.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Steve H wrote:
> We've got a big problem with IE 8.
>
> With IE 7 you could launch different browser sessions and login to a web
> site with different ID's. Each browser window would have it's own session
> cookie. Each tab would share the session cookie - which is exactly how it
> should intuitively work.
>
> If you do this with IE 8 then there seems to be only ever one session. No
> matter how many browsers you open you get the same session and so you can
> login as only one user at a time.
>
> This is a problem for us with our own application, but it is also a
> problem
> with all web sites and we have reproduced it with Ebay for example.
>
> I haven't been able to find any settings in the UI to disable this.

~waves & thanx @EricLaw~

EricLaw wrote:
> This behavior is by-design for IE8. We elected to make session
> handling more consistent. Previously, some entry points would create
> a new session (e.g. clicking a desktop icon) while others did not
> (e.g. File > New Window).
>
> There's a little test page that makes this easy to demo here:
> http://www.enhanceie.com/test/sessions/
>
> Now in IE8, new sessions are created explicitly, by clicking File >
> New Session, or by starting iexplore.exe with the -nomerge command
> line parameter.
>
> I'll be putting up a post on this topic on the IEBlog (blogs.msdn.com/
> ie) shortly.
>
> Thanks,
>
> Eric Lawrence
> Security Program Manager
> Internet Explorer
>
> On Mar 23, 5:06 am, Steve H <Ste...@discussions.microsoft.com> wrote:
>> Hi,
>>
>> We've got a big problem with IE 8.
>>
>> With IE 7 you could launch different browser sessions and login to a web
>> site with different ID's. Each browser window would have it's own session
>> cookie. Each tab would share the session cookie - which is exactly how it
>> should intuitively work.
>>
>> If you do this with IE 8 then there seems to be only ever one session. No
>> matter how many browsers you open you get the same session and so you can
>> login as only one user at a time.
>>
>> This is a problem for us with our own application, but it is also a
>> problem
>> with all web sites and we have reproduced it with Ebay for example.
>>
>> I haven't been able to find any settings in the UI to disable this.
>>
>> Best regards
>>
>> Steve

Wow, I do hope you reconsider this. There are a lot of good features in IE8
and honestly, I am (and always have been) an IE fanboy. But this is
seriously bad, IMO.


"EricLaw" wrote:

> This behavior is by-design for IE8. We elected to make session
> handling more consistent. Previously, some entry points would create
> a new session (e.g. clicking a desktop icon) while others did not
> (e.g. File > New Window).
>
> There's a little test page that makes this easy to demo here:
> http://www.enhanceie.com/test/sessions/
>
> Now in IE8, new sessions are created explicitly, by clicking File >
> New Session, or by starting iexplore.exe with the -nomerge command
> line parameter.
>
> I'll be putting up a post on this topic on the IEBlog (blogs.msdn.com/
> ie) shortly.
>
> Thanks,
>
> Eric Lawrence
> Security Program Manager
> Internet Explorer
>
> On Mar 23, 5:06 am, Steve H <Ste...@discussions.microsoft.com> wrote:
> > Hi,
> >
> > We've got a big problem with IE 8.
> >
> > With IE 7 you could launch different browser sessions and login to a web
> > site with different ID's. Each browser window would have it's own session
> > cookie. Each tab would share the session cookie - which is exactly how it
> > should intuitively work.
> >
> > If you do this with IE 8 then there seems to be only ever one session. No
> > matter how many browsers you open you get the same session and so you can
> > login as only one user at a time.
> >
> > This is a problem for us with our own application, but it is also a problem
> > with all web sites and we have reproduced it with Ebay for example.
> >
> > I haven't been able to find any settings in the UI to disable this.
> >
> > Best regards
> >
> > Steve
>
>

I agree withe every point Cesee has made. It's very easy to imagine
scenarios where this can be exploited. An attacker could easily keep an eye
on users in public places and, when they leave, essentially hijack the prior
session intentionally, with almost zero effort. Coffee shops, gatherings at
a person's house with some not-well-known-guests, etc., etc. Should users
click the log out links in sites to destroy the sesssion? Of course. Do
they? Usually not.

If a user really wants this behavior (I can't imagine anyone would), they
should have to explictly enable it. I don't even love that session cookies
were shared amongst tabs in the same window, but as Cesee said, users would
typically close the whole window, so it wasn't a huge issue. In my opinion,
session cookies should only be shared in child windows that were directly
spawned by a parent window (via javascript, a hyperlink target, or the user
opening a link in a new window/tab).


Eric


"Cesee" <> wrote in message
news:7787945e-5949-4c35-bae9-...
On Mar 26, 2:20 pm, Cesee <cesar.mar...@gmail.com> wrote:
> On Mar 26, 3:11 am, EricLaw <bay...@gmail.com> wrote:
>
>
>
>
>
> > This behavior is by-design for IE8. We elected to makesession
> > handling more consistent. Previously, some entry points would create
> > a newsession(e.g. clicking a desktop icon) while others did not
> > (e.g. File > New Window).
>
> > There's a little test page that makes this easy to demo
> > here:http://www.enhanceie.com/test/sessions/
>
> > Now in IE8, new sessions are created explicitly, by clicking File >
> > NewSession, or by starting iexplore.exe with the -nomerge command
> > line parameter.
>
> > I'll be putting up a post on this topic on the IEBlog (blogs.msdn.com/
> > ie) shortly.
>
> > Thanks,
>
> > Eric Lawrence
> > Security Program Manager
> > Internet Explorer
>
> > On Mar 23, 5:06 am, Steve H <Ste...@discussions.microsoft.com> wrote:
>
> > > Hi,
>
> > > We've got a big problem with IE 8.
>
> > > With IE 7 you could launch different browser sessions and login to a
> > > web
> > > site with different ID's. Each browser window would have it's
> > > ownsession
> > > cookie. Each tab would share thesessioncookie - which is exactly how
> > > it
> > > should intuitively work.
>
> > > If you do this with IE 8 then there seems to be only ever onesession.
> > > No
> > > matter how many browsers you open you get the samesessionand so you
> > > can
> > > login as only one user at a time.
>
> > > This is a problem for us with our own application, but it is also a
> > > problem
> > > with all web sites and we have reproduced it with Ebay for example.
>
> > > I haven't been able to find any settings in the UI to disable this.
>
> > > Best regards
>
> > > Steve- Hide quoted text -
>
> > - Show quoted text -
>
> This means that you cannot install IE8 on public computers (at least
> with the default settings).
>
> Now attackers can roam libraries and try to access bank accounts, how
> many of us don't just close the browser window ?!!
>
> Take this secenario:
> Somebody goes into the library opens IE8, checks the news, opens
> another IE8, logs into his bank account and then closes the bank
> account window and leaves the news window open.
> Another person opens a NEW WINDOW, uses the link to the bank and... he
> finds that he is logged in automatically...
> Like I said, I consider this a huge security issue and I too really
> hope you will reconsider this.
>
> I had no option but to instruct my customers which are big
> organizations with a large number of employees that each can check
> their payslips online, not to install IE8 on public stations. (this
> also can happen with tabs in ie7, but the user usually closes the
> whole window and not only the tab)- Hide quoted text -
>
> - Show quoted text -

what I meant is that it makes the attackers jobs easier, and even non-
attackers can access other accounts by accident more often now...

It's actually more confusing that you made it more consistent.

If the ideas was that by clicking on the desktop, the same sessio
would be used as an existing session (so that we don't confused th
user), that works until someone clicks "New Session". If they do this
times, now you have 3 sessions

Which session do you get when you open up a new browser instance? I
my test it was the first session I created, but I really was hoping fo
the 3rd one. :

The first one, the second one or the third one? And even better, i
you close your first instance, which one do you get? What if you don'
remember which one was the second session

It was much more obvious that loading a new instance of Interne
Explorer meant you got a fresh-new session by default. If I loa
another instance of notepad or wordpad or anything, I don't expect t
see the other notepad that I'm working on pop into my new window.

Thanks
Georg

'PA Bear [MS MVP Wrote:
> ;1207117']~waves & thanx @EricLaw
>
> EricLaw wrote
> > This behavior is by-design for IE8. We elected to make sessio
> > handling more consistent. Previously, some entry points would creat
> > a new session (e.g. clicking a desktop icon) while others did no
> > (e.g. File > New Window)
>
> > There's a little test page that makes this easy to demo here
> > http://www.enhanceie.com/test/sessions
>
> > Now in IE8, new sessions are created explicitly, by clicking File
> > New Session, or by starting iexplore.exe with the -nomerge comman
> > line parameter
>
> > I'll be putting up a post on this topic on the IEBlo
> (blogs.msdn.com
> > ie) shortly
>
> > Thanks
>
> > Eric Lawrenc
> > Security Program Manage
> > Internet Explore
>
> > On Mar 23, 5:06 am, Steve H <Ste...@discussions.microsoft.com> wrote
> >> Hi
> >
> >> We've got a big problem with IE 8
> >
> >> With IE 7 you could launch different browser sessions and login to
> we
> >> site with different ID's. Each browser window would have it's ow
> sessio
> >> cookie. Each tab would share the session cookie - which is exactl
> how i
> >> should intuitively work
> >
> >> If you do this with IE 8 then there seems to be only ever on
> session. N
> >> matter how many browsers you open you get the same session and s
> you ca
> >> login as only one user at a time
> >
> >> This is a problem for us with our own application, but it is also
> >> proble
> >> with all web sites and we have reproduced it with Ebay for example
> >
> >> I haven't been able to find any settings in the UI to disable this
> >
> >> Best regard
> >
> >> Stev

--
gcpeter
Posted via http://www.vistaheads.co

The really weird thing is when you consider how much thought and effort went
into making IE8 secure. Obscure scenarios are handled beautifully- so some
sort of conversation like the following must have happened:

"What happens if a site performs X, Y, and Z and the user does A, B, and C
while it's the 3rd full moon of the year?"

"We have to account for that because, even though it's obscure, we need IE8
to be as secure as possible."

"Right then, next question: What happens if a user is doing some banking on
a public computer and closes the window. If the next user of the PC were to
type the URL of the bank, what should happen?"

"It should give the new user full and complete access to the first user's
banking session because we need to make session handling consistent so that
users aren't confused."

"Got it- let's do it that way then, thanks."


Eric


"gcpeters" <> wrote in message
news:...
>
> It's actually more confusing that you made it more consistent.
>
> If the ideas was that by clicking on the desktop, the same session
> would be used as an existing session (so that we don't confused the
> user), that works until someone clicks "New Session". If they do this 3
> times, now you have 3 sessions.
>
> Which session do you get when you open up a new browser instance? In
> my test it was the first session I created, but I really was hoping for
> the 3rd one.
>
> The first one, the second one or the third one? And even better, if
> you close your first instance, which one do you get? What if you don't
> remember which one was the second session?
>
> It was much more obvious that loading a new instance of Internet
> Explorer meant you got a fresh-new session by default. If I load
> another instance of notepad or wordpad or anything, I don't expect to
> see the other notepad that I'm working on pop into my new window.
>
> Thanks,
> George
>
> 'PA Bear [MS MVP Wrote:
>> ;1207117']~waves & thanx @EricLaw~
>>
>> EricLaw wrote:
>> > This behavior is by-design for IE8. We elected to make session
>> > handling more consistent. Previously, some entry points would create
>> > a new session (e.g. clicking a desktop icon) while others did not
>> > (e.g. File > New Window).
>> >
>> > There's a little test page that makes this easy to demo here:
>> > http://www.enhanceie.com/test/sessions/
>> >
>> > Now in IE8, new sessions are created explicitly, by clicking File >
>> > New Session, or by starting iexplore.exe with the -nomerge command
>> > line parameter.
>> >
>> > I'll be putting up a post on this topic on the IEBlog
>> (blogs.msdn.com/
>> > ie) shortly.
>> >
>> > Thanks,
>> >
>> > Eric Lawrence
>> > Security Program Manager
>> > Internet Explorer
>> >
>> > On Mar 23, 5:06 am, Steve H <Ste...@discussions.microsoft.com> wrote:
>> >> Hi,
>> >>
>> >> We've got a big problem with IE 8.
>> >>
>> >> With IE 7 you could launch different browser sessions and login to a
>> web
>> >> site with different ID's. Each browser window would have it's own
>> session
>> >> cookie. Each tab would share the session cookie - which is exactly
>> how it
>> >> should intuitively work.
>> >>
>> >> If you do this with IE 8 then there seems to be only ever one
>> session. No
>> >> matter how many browsers you open you get the same session and so
>> you can
>> >> login as only one user at a time.
>> >>
>> >> This is a problem for us with our own application, but it is also a
>> >> problem
>> >> with all web sites and we have reproduced it with Ebay for example.
>> >>
>> >> I haven't been able to find any settings in the UI to disable this.
>> >>
>> >> Best regards
>> >>
>> >> Steve
>
>
> --
> gcpeters
> Posted via http://www.vistaheads.com
>