Compartilhar via


Session management within Internet Explorer 8.0

Hi everyone!

Veena again, back with a discussion on session management in IE8. Many application developers expect that they lose their session when they close the IE window. So when the user launches a new instance of IE, they expect that the user is shown the login screen. However, to their surprise, this doesn’t happen automatically with IE8. IE8 is actually behaving as expected and I will attempt to explain why.

Relying on closing the window to clear the session is not a recommended way to implement proper logoff for an application. Because this clearly will not work if there is another window that is sharing the session. This has been the behavior always although our mechanics for which windows share a session has changed in IE8. For example, in IE6 and IE7, there were several ways to launch new windows, some of which gave you a new session, others of which did not.

Click IE shortcut from desktop, start->run -> New Session

  • Run iexplore.exe -> New Session
  • Click File->New Window -> Same session
  • Click “Open link in new tab” (IE7) -> Same session
  • Click “Open link in new window” ->  Same session
  • Window.open() ->  Same session

As you can see, even in IE7, closing the browser window does not guarantee that your session and credentials would be destroyed.  As you may already be aware, many architectural changes were put into IE8. One such change, was to unify the session model and improve performance.  For More information please review MSDN IE Blog Title: IE8 and Reliability - https://blogs.msdn.com/b/ie/archive/2008/07/28/ie8-and-reliability.aspx.

So what if I want the old behavior back?  Well, there are three ways available:

  • Registry key
    HKCU\Software\Microsoft\Internet Explorer\Main\FrameMerging
    0 - disable frame merging
  • Command-line switch : If the application is being launched via a desktop shortcut, the command line switch “-noframemerging” could be added to that to get the desired effect.
    • Example: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -noframemerging
  • Menu item (“File->New Session”)

In summary, having the user close the browser window has never been sufficient to ensure that the session is destroyed. If the user had another window open in the same session, then that window would still effectively be logged in. However, if the user clicks “Log off” in the application before closing the window, the application CAN clear any credentials in the session, either by deleting session cookies (if that’s the authentication mechanism), or by deleting all of the credentials in the session via document.execCommand(ClearAuthenticationCache, false). If the application code does this, the user will not need to close the window to complete the logging out process. So next time they browse to it in another window that’s sharing the session, they should see the login screen as expected.

For more information on Frame Merging, click here.

Regards,

The IE Support Team

Comments

  • Anonymous
    May 08, 2009
    How do I resolve this problem in my application. I have a registration form written in php. What do I include in my code so that when visitor closes the browser in IE8, it kils the session.

  • Anonymous
    July 21, 2009
    Is it possible to invoke a java script (or similar action) to force the client to take the same action as "File -> New Session"? If so, could you detail how this would be done?

  • Anonymous
    July 21, 2009
    HiThe above given Registry key does not exist in my windows XP version.Any comments on that?

  • Anonymous
    August 26, 2009
    Same here, FrameMerging reg enty doesnt exist in XP. how do you resolve this issue in xp.

  • Anonymous
    January 06, 2010
    Frame merging is enabled by default in IE8. You add the following registry key  to disable frame mergingHKCUSoftwareMicrosoftInternet ExplorerMainFrameMerging0 (DWORD)

  • Anonymous
    February 16, 2010
    I cannot find FrameMerging key in registry. Where is it?Windows XP Prof SP 3IE 8.0.6001.18720CODidn't find HKCUSoftwareMicrosoftInternet ExplorerMainFrameMergingPlease help. I need to open up new window without automatically logging in with same session.

  • Anonymous
    March 02, 2010
    This has been incredibly frustrating.What have others been informing users in terms of dealing with this issue?

  • Anonymous
    March 05, 2010
    Wonderful information! I was just reviewing a session problem with IE8 and this is a partial solution. Thanks a bunch!

  • Anonymous
    April 12, 2010
    If two windows shave a session and one is closed then, no don't close the session. If all instances close then yes the session closes.Secure session cookies rely on this behaviour.The expected user behaviour, whether you like it or not, is that closing a browser closes a login. Putting a logout button is zero gaurentee that the user will click it. You can engineer code, but you can't engineer your users.This is a bug.

  • Anonymous
    April 20, 2010
    "Relying on closing the window to clear the session is not a recommended way to implement proper logoff for an application. Because this clearly will not work if there is another window that is sharing the session. "True, buy why, pray say, session isn't cleared for one application if I close its window, but keep another window, pointing to a completely different application, on different server in different DOMAIN?!Do try this: Login to any app that that require login and keep user's info in session. Open a new browser, and point it anywhere completely unrelated (link to this article will do). Close original app window. Open new browser window and go to that app URL. Surprise, surprise, you're still logged on."Relying on closing the window to clear the session is not a recommended way to implement proper logoff for an application"Are you aware that 99.9% of all users will simple close browser window instad of going thru logout process even if it takes only one click?  And in many scenarious, including one above - they will stay logged in.

  • Anonymous
    June 23, 2010
    Is there a method to code around this or a setting in web services? My enterprise folks want to allow this but I don't because of the way my applications act.

  • Anonymous
    July 06, 2010
    Hi,Can we call the following JS function in body's Onbeforeunload  event?function handleUnload()       {

            if((window.event.clientX < 0) || (window.event.clientY < 0))        { //if close window            document.location = "Logout.asp"
               }       }and clear all session cookies information?It works as expected. but will there be any issues?The above JS only tested for IE browserRegards,Visu

  • Anonymous
    September 30, 2010
    Is it possible to have a web page that programmatically links to another website while ensuring a new browser session is spawned?

  • Anonymous
    February 08, 2011
    window.open with a window name should target the same window always.But on IE8 with File - New Session it ignores the target window name and opens a newwindow. Why its not opening in the same window. eg. window.open("http://www.google.com","win");

  • Anonymous
    March 01, 2011
    Hey JB,Go to HKEY_CURRENTUSERSoftwareMicrosoftInternet ExplorerMainThen right click on the folder "Main" and go to New, then DWORD. Call it FrameMerging and make sure the value is set to 0.

  • Anonymous
    March 16, 2011
    is it not possible to use the old way of untick reuse windows for launching Shortcuts(when tabbed browsing is off)

  • Anonymous
    May 03, 2011
    Adding 'FrameMerging' key does not work when I launch the page from 'Frequent List' in windows 7, anyone has solution to it.

  • Anonymous
    May 16, 2011
    Is it possible to invoke a java script (or similar action) to force the client to take the same action as "File -> New Session"? If so, could you detail how this would be done?

  • Anonymous
    May 25, 2011
    Hi,I am facing one problem in my project. The scenario is, I have 2 different applications which are running on the same host and webserver but on diffrenet application servers. The problem is that when I logoff from one application, automatically the other also getting signed out. And to my wonder this is happening only with IE8. All the below versions dont have any issues..Can anyone out here help me in this regard??

  • Anonymous
    August 08, 2011
    Hi there, hope someone can help.  I'm having a siteminder issue with IE8.  I use multiple sites simultaneously that require my credentials & with IE8, I am automatically logged off of one site the second I open up another tab that requires a log in.  I was able to use the command "-noframemerging" to help avoid this issue when using seperate Windows, but I would like to keep one window open & utilize the Tabs instead.  It's much easier when needing 5+ sites open at once to just use tabs but unfortunatley with this issue, I can't unless I want to log in to each site EVERY time I switch back & forth between tabs.  Please help!

  • Anonymous
    October 02, 2011
    using IE8 and win 7tried to have 2 instances of hotmail open 1 for me and one for my partner, she wanted to chech her mail and i was in the middle of composing a long mail application.however everytime we logged into one instance we were logged out the other.we even tried this on facebook but again we were logged out one account when we logged into the other.have tried clearing cookies and temp files but this has had no effect still getting logged out,any one any ideas?

  • Anonymous
    January 26, 2012
    I've tried all of your examples above, but I cannot get "Run iexplore.exe -> New Session" to create session.  After opening 2 windows, go to the Tools  | Developer Tools (F12).  Then click on the Cache | View Cookie Information, then search for the JSESSIONID, you will find that they are the same (at least they are for me).  I'm not sure how to work around this, my clients want to be able to edit in two different sessions.

  • Anonymous
    February 07, 2012
    Please review blogs.msdn.com/.../ie8-and-reliability.aspx for more information about the changes.

  • Anonymous
    June 06, 2012
    dears FrameMerging doesn't work with IE8 in our PCs,I have windowsXPSP3 and Windows7 SP1 and I'm getting the same so please anyone has solution to help as all options from microsoft don't work with opening segregate sessions or what we call it no framemerg

  • Anonymous
    June 07, 2012
    @osa1980 - Did you try the commnad switch?Exmaple: "C:Program Files (x86)Internet Exploreriexplore.exe" -noframemerging

  • Anonymous
    March 27, 2013
    On XP or WIN7, What I have experienced is as follows.File > New Sesion or  iexplore.exe -nomerge blogs.msdn.com/.../session-cookies-sessionstorage-and-ie8.aspxIf you open  an application in IE session, one that authenticates the user id in the session. Then, try to launch a URL survey from same application (clicking with mouse) which uses a different id, the URL fails, because an existing user is already logged in. If you open a an application is IE session one that authenticates the user id is session. Then File>New Session - Then, try to launch a URL survey from same application (clicking with mouse) which uses a different id, the URL fails, because the clicking of the mouse (os ) is looking for the 1st session opened.  If you open a an application is IE session one that authenticates the user id is session. Then File>New Seesion - Then, try to launch a URL survey from same application (by copy paste), works.  If you open 2 new session, and in second session - open a an application is IE session one that authenticates the user id is session. Then, try to launch a URL survey from same application (clicking with mouse) which uses a different id, the URL works, because the clicking of the mouse (os ) is looking for the 1st session opened. What is the work around, to have the clicking on URL , start is the last session openned?

  • Anonymous
    December 07, 2014
    Hi, Can anyone please help me on this issue ??Am not able to open "New Session" in Internet explorer 32-bit. But i can open in 64 bit IE.Kindly give me any fix. Thanks.

  • Anonymous
    December 11, 2014
    I'm having the same issue as Sathish.  

  • Anonymous
    December 26, 2014
    Try using the -private (in private) and noframemerging switches from a shortcut.Right Click on your Desktop and select New / Shortcut / Browse to:C:Program Files (x86)Internet Exploreriexplore.exe click on Next Give it a name, like Private / Nosession Finish Right click on the shortcut Select property Add the following switches at the end: -private -noframemerging  -  It should look like this:  "C:Program Files (x86)Internet Exploreriexplore.exe" -private -noframemerging Whenever you want to login using multiple user for the same mail provided, like Hotmail, use the shortcut.