Поделиться через


Session Cookies, sessionStorage, and IE8 or “How can I log into two webmail accounts at the same time?”

For Internet Explorer 8, we’ve made browser session handling a lot simpler.  For instance, say you want to have two Hotmail windows open, each logged into a different account.  Simply click the New Session item on the File menu, and a new browser window will open.  The new browser window will not share session cookies with the original browser window, so you can log into Hotmail (and most web applications) as a different user.  For command line junkies, you can run iexplore.exe with the -nomerge parameter.

In contrast, if you click New Window, New Tab, or Duplicate Tab on the File menu, or click on a desktop shortcut, the new tab or window will share session cookies with the original tab.  This is called “session merging.”

Why do browsers implement Session Merging?

Proper support for Session Merging is important because most web applications are written to expect it.  For instance, when a web application opens a popup window, it usually does so with the expectation that the popup window will share cookies with the main window, so that the user will remain logged in and their preferences will remain available, etc.  Similarly, when the user uses the Duplicate Tab command, they reasonably expect the new tab to show them the same content as the original tab-- sharing cookies is critical for that scenario to work correctly. 

On the other hand, the authors of the HTML5 draft noted that cookie sharing across windows and tabs can introduce some problems:

For example, a user could be buying plane tickets in two different windows, using the same site. If the site used cookies to keep track of which ticket the user was buying, then as the user clicked from page to page in both windows, the ticket currently being purchased would "leak" from one window to the other, potentially causing the user to buy two tickets for the same flight without really noticing.

For that reason, the HTML5 sessionStorage feature is designed such that even tabs within the same browser session have independent storage objects.  If you change a sessionStorage attribute’s value in one tab, that change won’t be reflected within another tab, even within the same browser session.  In contrast, the localStorage attribute behaves more like a persistent cookie—changes to localStorage attribute’s values are reflected in all browser tabs within all active (and future) browser sessions.

I’ve created a simple test page which you can use to explore session merging and IE8’s New Session option.

-Eric Lawrence

Update 1/11/2010: Someone recently asked if there's a way to start a "NoMerge" session via the CoCreateInstance COM API rather than by directly executing iexplore.exe with the command line parameter. Unfortunately, that scenario is not presently supported. In contrast, the IELaunchURL API always launches IE using the NoMerge option.

Comments

  • Anonymous
    May 06, 2009
    Good feature - but why is it only on the File menu which is hidden by default? Surely it should be replicated on the Command Bar - in Tools or Page? It also doesn't seem to have a keyboard shortcut? How is anyone going to find it unless they know it is there?

  • Anonymous
    May 06, 2009
    Is this available from command bar? I am used to keeping menubar off which is default since IE7. Isn't it weird that IE team is now suggesting to use menubar and command bar? There is no shortcut assigned to it as well.

  • Anonymous
    May 07, 2009
    So...can you tell me where to get the admx and adm templates for IE8? Thanks

  • Anonymous
    May 07, 2009
    @dhan: Even if the menu bar isn't shown, ALT+F, I, Enter will invoke New Session. If you use it enough that you find the above cumbersome, then create shortcut on your desktop to "C:Program FilesInternet Exploreriexplore.exe" -nomerge and assign it a Shortcut key or add the shortcut to your Quick Launch Toolbar.

  • Anonymous
    May 07, 2009
    How about a keyboard shortcut for this?

  • Anonymous
    May 07, 2009
    I like this handling, but also am wondering the same thing as some others who posted above: Why no keyboard shortcut for new sessions?

  • Anonymous
    May 07, 2009
    With or without the File Menu enabled, you can still Alt-F to activate the File menu. With this in mind, the keyboard "shortcut" for a New Session is: Alt-F i Enter

  • Anonymous
    May 07, 2009
    so, is it only work on special webpages?? Yet I tried it on Gmail and doesn't work

  • Anonymous
    May 07, 2009
    Amazing the amount of screen real estate the browser takes up and this has to be accessed from the file menu. Interesting that you are looking at the HTML5 spec and yet have produced the only modern browser that does not support CANVAS or SVG. Lets have the features that developers are asking for.

  • Anonymous
    May 07, 2009
    Uh, point of order. Is this the SAME file menu that is hidden by default on everyone's user interface? You might want to rething that process.  Unless you change it, chances are, in 4 years no one will even remember it is there and you'll be fielding questions about what it does about every 6 months when someone finds it and wonders what it does differently. At the very least, drop a copy of the New Session menu option into the tools drop down.

  • Anonymous
    May 07, 2009
    @Wiwi: Make sure that you haven't checked the "Remember Me" option -- it uses a persistent cookie (not session-based) to authenticate you. Click "log out", and then re-log in and make sure that checkbox isn't checked.

  • Anonymous
    May 07, 2009
    It would be useful to launch a new session even on tab level, so that one could open a new tab in a different session. Having to look through tabs and windows in new sessions is added functionality with lower user friendliness.

  • Anonymous
    May 07, 2009
    The comment has been removed

  • Anonymous
    May 07, 2009
    @andyzei [MSFT] :Nice,it works now. but it not good enough, hope there is some free add-on can make me login with "Remember Me" and open a new session.

  • Anonymous
    May 07, 2009
    Great feature! Love that now I don't have to log out of one webmail (Gmail) account to login to another. Like other posters have pointed this out, 'New Session' is not that discoverable, in part because it's in is hidden in the Menu bar (off by default, IIRC) and not present in any Command Bar option, the obvious one being in Page or Tools. It would be a good idea to make this feature, a good one, BTW, more discoverable.

  • Anonymous
    May 07, 2009
    How could I use new session function in web browser controls? I have a mfc app , embeded in with multi-web-browser controls , I want each of them have their own session , can I?

  • Anonymous
    May 07, 2009
    I am wondering this new session feature, can the new session window opened as a tab or it has to be a new IE window?

  • Anonymous
    May 07, 2009
    @Xiao Han: No, you can only open new sessions within new windows; you cannot open a new session with tabs.  There are a number of reasons for this-- most of which would require lengthy explanation. @accesine: No, the web browser control does not expose control of sessions to the host.  You cannot (in a supported way) have multiple sessions running within one application. @Sterling: Thanks for the feedback.  The "New Session" command definitely isn't a highly-visible feature, but it is one that relatively few users do find quite valuable. @WiWi: While someone may some day write such an addon, it doesn't really make a lot of sense, because the entire point of a site's "Remember me" feature is to ensure that users are automatically logged in using the same credentials, regardless of which process was used to visit a site. @Xepol: To answer your immediate question, no, the menus aren't hidden by default for "everyone."

  • Anonymous
    May 08, 2009
    I had asked about the same question as Han, yet it did not seem worth being answered. Probably better so, because the "there are many lenghty reasons why not" reads just like "we would really be getting into too much work with this and in turn its a relatively moderate addition of functionality". Oh hey, 'MSFT' = misfit? ;-/

  • Anonymous
    May 08, 2009
    The comment has been removed

  • Anonymous
    May 08, 2009
    The comment has been removed

  • Anonymous
    May 08, 2009
    @Phil - condescending comments aside, I didn't miss any of those points.  It is very difficult in a small blog comment section to describe the scenario, and the reasons why your good suggestions don't apply to our situation. When it comes down to it, we provide an "application" in the true sense of the word.  We have a hosted, SaaS-model environment, and users use Internet-Explorer only to access our application.  This is not a site that users browse to, like Amazon, or Facebook, or whatever.  Our core user base is not computer savvy.  If they double-click on their IE icon to start a new session, and we tell them that they are "in a new window but an existing session" it won't make any sense to them at all and will not fly in our world.  We have to work through all of these issues programmatically from our end. All I can say is, if you were here and I could show you what we do, and the implications of the session merge change, and why it wasn't an easy fix, I think you would see.  But since I can't do that, we'll just leave it at that. Thanks.

  • Anonymous
    May 08, 2009
    Joe, why not just put a HTA on the user's desktop that launches your app?

  • Anonymous
    May 08, 2009
    @Phil: one more thing I forgot to mention, at the very least your post did lend some better insight into the reasons it was done, and those make sense, so thanks. @Bill: We considered and worked with an HTA for a while.  However, our #1 requirement is no footprint on the client.  It has to work anywhere, even places like an airport kiosk, internte cafes, etc.

  • Anonymous
    May 09, 2009
    @EricLaw [MSFT]: Yeah, I see what you mean. I would use it (and have already used it) and I didn't know about it until I read the post here.

  • Anonymous
    May 09, 2009
    My IE8 Passing Error, When i click Open IE8, PC got Struck, anyone suggest me?

  • Anonymous
    May 12, 2009
    The reasons you give for why you've made a change to behavior that develoeprs and users have grown quite accustomed to for the past several years are bogus: "For instance, when a web application opens a popup window, it usually does so with the expectation that the popup window will share cookies with the main window, so that the user will remain logged in and their preferences will remain available, etc." With the old model of behavior, a popup window DID share its cookies with the main window, and the user did remain logged in, etc.  This was never broke -- it didn't need fixing.   "Similarly, when the user uses the Duplicate Tab command, they reasonably expect the new tab to show them the same content as the original tab-- sharing cookies is critical for that scenario to work correctly." Exactly the same, under the old behavior, new tabs or windows launched from one process would also share cookies, and retain content/settings/etc.   If I had to paraphrase you're reasing:  "We used to implement feature X (merged sessions for pages launched from each other, but in the same process).  We decided to implement feature Y (merged sessions across all processes) because we needed feature X.  However, feature Y has pitfalls (the HTML5 document), so we also had to add feature Z (File->new session)."  You already had it perfect before!   I can't see the logic in this.  IE7 was the only browser out there that had this right.  Now every browser is wrong.  At least all are consistently wrong.   Looks like it's back to green screens for our apps :)  

  • Anonymous
    May 12, 2009
    Our typical posts here are original information about the product from the people who built the product.

  • Anonymous
    May 12, 2009
    HTML5 support is nice... where is CSS3 support?

  • Anonymous
    May 12, 2009
    -no-remote was never a fantastic way to accomplish similar with firefox @ IE team this feature needs both a hotkey and a context menu entry

  • Anonymous
    May 13, 2009
    This post is intended for IT administrators, but more technical users might also find it useful. During

  • Anonymous
    May 14, 2009
    Unfortunately with this session sharing there is no way to use the RunAs command to launch IE8 as another User and have both windows active at the same time. Situation: In our company we are require to do day-to-day activities as a standard Domain user. During the day we launch IE under our elevated/Admin accounts make a few changes within our apps and then close IE.  Having to logout or even close the other IE windows will slow down our Workflow significantly. -nomerge does not work, and even using PSexec does not work.  

  • Anonymous
    May 14, 2009
    @FixRunAs: I assume you encountered the inability to use RunAs only on Windows XP?  We're looking into this issue on that specific platform, thanks!

  • Anonymous
    May 15, 2009
    Really appreciate this info, thanks for posting it. We also have the same issue and Joe and Darin.  We have a private subscription based web site with a majority of folks that are not very technical.  We have issues as well when folks have been in our app, may close the tab (thinking its closed), open a new window and still bump into previous session/state. Granted our system was writen 5-6 years ago and we are in the process of a complete rewrite, but I did want to chime in and say certain issues are effected by this.   I also understand that all browers do this, but I still have a hard time understanding the "logic" on why opening a "new" window does now give me "new" session.  Tabs are fine because they are "contained" in the window.  It seems these new broswers have it backward where a new window by default should open with a new session, and have an option to open with merging.  But maybe my feeling/thinking will change over time.  Of course I am also thinking from a private site/app point of view and not a public one. Thanks again for taking the time to create this.

  • Anonymous
    May 16, 2009
    Doesn't Work. I installed IE8 so I could use the "New Session" feature and open multiple gmail accounts simuultaneously.  It doesn't work.  As soon as I open a 2nd gmail account in a screen created by file > New Session the first account gets closed. I have run the "simple test page" app and it handles the colors just find in multiple sessions.  It just doesn't allow multiple gmail accounts in multiple sessions.

  • Anonymous
    May 17, 2009
    @GoBlue: I haven't had a problem with logging into two GMail sessions simultaneously using the "New Session" feature.   The one important thing to keep in mind is that you cannot use the "Remember me on this computer" checkbox on the GMail login page, because when you do that, it sets a persistent cookie that will apply across all of your IE sessions.

  • Anonymous
    May 20, 2009
    Самые вкусные консервы их тех, которые я когда-либо пробовал Хотя эта статья адресована ИТ-администраторам,