Open multiple sessions of a Web app in IE8 without overwriting cookies

Question

Hi everyone, 

It's been a while since I last posted on this forum (probably under a different screenname, too), so pardon me if I'm asking a often-time debated issue. At work, we have this Web application (basically, a HTTPS Web page) where we input data that will be injected in the databases. Since it has been developped in .Net, it's only well displayed in Internet Explorer (that's not the issue here), but the end-user must log in every time he/she wants to access the service. There's no automatic logon, nor will there be in the future, for security reasons. 

We have noticed that when a user is already running a session in a tab in IE, and he/she opens another access to this service in another tab in the same window, the new tab overwrites the content of the first tab. I've tried fiddling with TabProcGrowth in the registry, but it's really not helping. 

I suspect the issue lies with the cookies each new session sets in IE, and I wonder if it's possible to do something to prevent this "pollution" from one tab to the next. At this point, I must state that I'm a surrogate admin on the subnet my office works on, but if some actions on the server-side are required, I'll have to bring it up with the main admins, who are situated several thousands of miles from where I live. 

I'm open to ideas, folks! :-)

Answer 1

I think this is caused by the application itself. The application maybe rewriting cookies or changing session variables when 2 pages are opened at the same time from the same application. So the problem is not from the browser but from the web application being rendered on the browser.

---

Ali Hamdar (alihamdar.com - www.ids.com.lb)

Answer 2

Hi Ali, 

I agree with you that it has to do with cookie management on the server side. My question is, is there a way to circumvent it on the client side? I could distribute a userscript on all the PCs on the subnet to set a window.name that's different from one session (and one tab) to the other, but security-wise, it wouldn't be such a good idea, given the poor security level Javascript offers. Basically, I'm stuck at trying to force the server to generate a new cookie for every new tab. Ideally, each tab would be treated in its own process, hence my mention of TabProcGrowth, and would be considered by the server as a different browser. I can also disable tab-browsing altogether, but this clutters the user's task bar, and cause a spike in resource usage after a while: several tabs in the same window are usually better in terms of resource management than opening several windows, if only to save in painting the GUI in each instance.

Answer 3

What happens when you use File>New Session

---

Rob^_^

Answer 4

Hi Rob, 

The thing is, I don't want to impose that on users: I'm currently the only one using IE8 in the team, and scouting out our options to upgrade all workstations.

The other users work on Terminal Server thin clients, and are not happy with it, mostly because aside from the content that's processed on the server side and relatively easy/quick to access, many issues arise (printer server often going offline, multipage PDFs taking a long time to scroll up/down in, etc...) they (and I) are powerless to act upon.

Basically, and ideally, we'd have our own mini-server (we're talking about a team of 20 people here), and dump/synchronize to the main server every night, but this would mean loading a copy of the databases onto the local server, and have a local copy of the Exchange server as well. Impractical, for too many reasons that I care to debate here. Also, I don't want to have to admin this subnet full-time: I have other duties to perform that already take up a big chunk of my working time. 

Now, to File > New Session: If I could automate it, I'd go for it. Let me explain. The average end-user on this team isn't computer-savvy. This is not being uncharitable to them, it's fact. They want their computer to "just work", deal with their daily workload, then go home at night without thinking about this or that, IT-wise. That's more or less my "job", because I'm the only person on the team with actual sys-admin experience. If I could set a click on one of the links in the Favorite bar to automatically open a new session, I would go for it, but I don't think it can be done (at least I don't know how). 

IE's user-interface is "scriptable" to some extent, but not so much so that I can tell the team to just click on the link to open their login page, and it'll open a new IE session, regardless of the IE version they're running. I've already explored those avenues with the IT department (that's also based abroad, FWIW), and they plan to deploy IE8 on all our XP-running boxes if and when this contamination issue is solved. Not a minute earlier. Hence my frantic testing, and me pestering this forum for ideas...

Answer 5

Hi,

here is my search query http://www.bing.com/search?q=nomerge+ie&src=ie9tr

this link shows you how to create a desktop shortcut to a new session...

http://www.walkernews.net/2009/03/26/use-ie8-nomerge-option-to-login-multiple-accounts-of-same-site/

or here is the equivalent jscript for a web page link or command bar button.

<script language="javascript" type="text/javascript">
// Open this link or page in a new session (IE8 and greater)
var win = window.external.menuArguments;
var WshShell=new ActiveXObject("wscript.shell");
if (win.event.srcElement.tagName == "A")
{
    WshShell.run('IExplore -nomerge \"' + win.event.srcElement.href + '\"');
}
else
{
    WshShell.Run('IExplore -nomerge \"' + win.document.URL + '\"');
}
WshShell = null;
</script>

---

Rob^_^

Answer 6

Hi Rob,

Thanks for taking the time to address my issues! I have already set the "-nomerge" attribute on IE8, and it doesn't change the fact that each new window opens in the same session. Even the "File > New Session" choice doesn't prove very effective.

I really think the answer lies in managing the session cookies so that each connection request gets stamped with its own token. I'll check that with the network admin tomorrow (today's a day-off in France) and see how we can implement it, if possible at all.

As for the script, it goes more or less along the lines I had imagined, but the thing is, on our clients, the end-users will receive a warning as to accept the ActiveX object, and since they don't enjoy admin rights, they'll be stuck. Or, I'd have to manually set their Internet options to automatically accept ActiveX from our company domain, but it's going to be time-consuming.

On my own box at the office, I'm going to revert to IE7 for now, and work my way up to solve those issues with the sys-admin's help.

I'm still open to ideas, though, so feel free to contribute further on the subject! And again, thanks for your input, Rob!

Cheers, mate! :-)