Solved

IE 9 losing session cookie

Posted on 2013-01-15
10
2,583 Views
Last Modified: 2013-01-27
Using IE 9
User logs into site #1.
Site #1  redirects user to  site#2  using a
URL with  query parameters  ( ASP)  that are all correct.
 Site #2  executes login script, it's all good.
I can see the login happening correctly in profiler.

Site #2 then  rejects user because of no Session variable containing  the user_id.

Yet,  directly logging  in to site #2 with IE 9 works with no problem for the user.  

Same steps above using Chrome,  logged into site #1, then get successfully redirected to site #2.  

Facts:
IE9 direct login to site #2 works.
Chrome redirect from site # to site #2 works
Only IE9 with redirect from #1 to #2 fails.


Some issue with  IE session sharing?  
Something about a redirect not accepting  session cookie?

Anyone have an idea why IE 9 with redirect fails?

Thanks
0
Comment
Question by:awalkinthepark
  • 4
  • 3
  • 3
10 Comments
 
LVL 4

Assisted Solution

by:tvedtem
tvedtem earned 250 total points
ID: 38781112
Hard to say without looking.  Reduce the security on IE and see what happens (or set it all to 'prompt')

If you can grab the HTTP logs (with status codes) of the entire process that would make it a bit easier to tell.

Is it possible to set the cookie on the top-level domain from site#1 (i.e. are #1 and #2  sub-domains of the same parent?)
0
 

Author Comment

by:awalkinthepark
ID: 38781131
Tried reducing security on IE,  turned off Macafee add-on's

Cannot set the cookie from site #1. That's someone else's web server.

We have many users doing this exact thing with out issue.
IEX  -> site#1 to site#2  and so I believe it's a setting somewhere on this users machine.

Tomorrow I can try the looking at the logs.  Will have to get the users IP first.

This implies that session  merging can be disabled:
"One of the best solution for your case is Registry fix for the IE.
Add the following KEY if it is not there, set 0 to disable frame merging.
HKCU\Software\Microsoft\Internet Explorer\Main
DWORD: FrameMerging
Value: 0"

Having user look for this in his registry tomorrow.

The  parent browser pops up a new browser that is logging in.
So the new browser "should" have be starting a new session and have the session cookie.

This "user timing out" issue has always resolved with enabling session cookies in the past.
Which of course  we have tried with this user.  
The fact that directly logging in works  rules out the enable session cookies issue.


P
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38781159
If the domain names of the sites are different, then they will have different session cookies.  It is a pretty strong security rule in all browsers that one domain can not see the cookies of another domain.  Also, a session cookie is active as long as any window of the browser is still open.  Each browser has only one 'cookie jar' that is shared by all windows.

Things like 'in private' browsing are supposed to 'sandbox' the different sites from each other.  http://windows.microsoft.com/en-US/windows-vista/What-is-InPrivate-Browsing
0
 

Author Comment

by:awalkinthepark
ID: 38784197
Yes, that's understood.
Still, the problem is that the new browser connects to site#2,  should have a session cookie, but when it's done as a redirect, it fails. Done directly, doesn't fail.
Other browser work when done as a redirect.  
Some IE setting other than "allow session cookies" ?
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 38784329
I honestly don't think it is working the way you think it is.  Different domains do not share cookies or sessions.  They just don't.  It's against all the security rules that I know of.

"Session cookies" are those with no expiration.  They expire when the browser is closed meaning All browser windows, not just the one where the site was being viewed.  The session cookies for Site #1 and Site #2 are two separate cookies if Site #1 and Site #2 are different domains.  When you open your browser and go to Site #1, it will get a session cookie from Site #1.  It will Not have a session cookie from Site #2 Until it goes to Site #2.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 4

Expert Comment

by:tvedtem
ID: 38785284
Here's what I think you're saying...

You visit site#1 www.site1.com
Site 1 returns a 302 status code, redirecting to www.site2.com?loginID=1234
The browser does as it's told, and makes a request to www.site2.com?loginID=1234
In Chrome, this will automatically log user 1234 in (or at least recognise them)
In IE9, you see an error message instead

Is that correct ?

Thinking about this, I guess this might qualify as a third-party cookie.
Open Advanced Privacy Settings (Internet Options -> Privacy -> Advanced) and see if that's responsible.
0
 

Accepted Solution

by:
awalkinthepark earned 0 total points
ID: 38807128
I tried various individual changes with out any luck.
Finally resolved by simply reset of security setting to default.
I don't know what specific setting resolved it.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38807226
At least you got it working, that's what counts.
0
 
LVL 4

Expert Comment

by:tvedtem
ID: 38808395
If having "Third party cookies = blocked" ticked in
  Internet Options -> Privacy -> Advanced

causes the problem, and your system is used by a range of users, it might be wise to rework the code a little bit (since some users will have it set this way)
0
 

Author Closing Comment

by:awalkinthepark
ID: 38823822
It worked but true cause not identified.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
LOG ON PROBLEM 6 49
reasons why a "inside Menu" would not appear for a web server 6 56
Which browser works with XP 16 106
ms/access webbrowser address not valid  - 12 29
Internet is a big network which is formed by connecting multiple small networks.It is a platform for all the users which are connected to it.Internet act as platform in different fields. Such as: Internet  as a collaboration platform. Internet  as…
I had to do a bit of research to find the answer to this question so I thought I'd share my results.  Due to our outdated mainframe systems, we need to downgrade IE9 to IE8 in order to stay compatible.  We also needed to downgrade Java.  In order to…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now