Session management within Internet Explorer 8.0


Hi everyone!

Veena again, back with a discussion on session management in IE8. Many application developers expect that they lose their session when they close the IE window. So when the user launches a new instance of IE, they expect that the user is shown the login screen. However, to their surprise, this doesn’t happen automatically with IE8. IE8 is actually behaving as expected and I will attempt to explain why.

Relying on closing the window to clear the session is not a recommended way to implement proper logoff for an application. Because this clearly will not work if there is another window that is sharing the session. This has been the behavior always although our mechanics for which windows share a session has changed in IE8. For example, in IE6 and IE7, there were several ways to launch new windows, some of which gave you a new session, others of which did not.

Click IE shortcut from desktop, start->run -> New Session

  • Run iexplore.exe -> New Session
  • Click File->New Window -> Same session
  • Click “Open link in new tab” (IE7) -> Same session
  • Click “Open link in new window” ->  Same session
  • Window.open() ->  Same session

As you can see, even in IE7, closing the browser window does not guarantee that your session and credentials would be destroyed.  As you may already be aware, many architectural changes were put into IE8. One such change, was to unify the session model and improve performance.  For More information please review MSDN IE Blog Title: IE8 and Reliabilityhttp://blogs.msdn.com/b/ie/archive/2008/07/28/ie8-and-reliability.aspx.

So what if I want the old behavior back?  Well, there are three ways available:

  • Registry key
    HKCU\Software\Microsoft\Internet Explorer\Main\FrameMerging
    0 – disable frame merging
  • Command-line switch : If the application is being launched via a desktop shortcut, the command line switch “-noframemerging” could be added to that to get the desired effect.
    • Example: “C:\Program Files (x86)\Internet Explorer\iexplore.exe” -noframemerging
  • Menu item (“File->New Session”)

In summary, having the user close the browser window has never been sufficient to ensure that the session is destroyed. If the user had another window open in the same session, then that window would still effectively be logged in. However, if the user clicks “Log off” in the application before closing the window, the application CAN clear any credentials in the session, either by deleting session cookies (if that’s the authentication mechanism), or by deleting all of the credentials in the session via document.execCommand(ClearAuthenticationCache, false). If the application code does this, the user will not need to close the window to complete the logging out process. So next time they browse to it in another window that’s sharing the session, they should see the login screen as expected.

For more information on Frame Merging, click here.

Regards,

The IE Support Team

Comments (29)

  1. Olufemi Odunuga says:

    How do I resolve this problem in my application. I have a registration form written in php. What do I include in my code so that when visitor closes the browser in IE8, it kils the session.

  2. Chris Kutsch says:

    Is it possible to invoke a java script (or similar action) to force the client to take the same action as "File -> New Session"? If so, could you detail how this would be done?

  3. Joris Bogaard says:

    Hi

    The above given Registry key does not exist in my windows XP version.

    Any comments on that?

  4. emmanuel says:

    Same here, FrameMerging reg enty doesnt exist in XP. how do you resolve this issue in xp.

  5. Veena says:

    Frame merging is enabled by default in IE8. You add the following registry key  to disable frame merging

    HKCUSoftwareMicrosoftInternet ExplorerMainFrameMerging

    0 (DWORD)

  6. JB says:

    I cannot find FrameMerging key in registry. Where is it?

    Windows XP Prof SP 3

    IE 8.0.6001.18720CO

    Didn’t find HKCUSoftwareMicrosoftInternet ExplorerMainFrameMerging

    Please help. I need to open up new window without automatically logging in with same session.

  7. Tim Malone says:

    This has been incredibly frustrating.

    What have others been informing users in terms of dealing with this issue?

  8. Tim says:

    Wonderful information! I was just reviewing a session problem with IE8 and this is a partial solution. Thanks a bunch!

  9. John Mawer says:

    If two windows shave a session and one is closed then, no don’t close the session. If all instances close then yes the session closes.

    Secure session cookies rely on this behaviour.

    The expected user behaviour, whether you like it or not, is that closing a browser closes a login. Putting a logout button is zero gaurentee that the user will click it. You can engineer code, but you can’t engineer your users.

    This is a bug.

  10. Yuriy says:

    "Relying on closing the window to clear the session is not a recommended way to implement proper logoff for an application. Because this clearly will not work if there is another window that is sharing the session. "

    True, buy why, pray say, session isn’t cleared for one application if I close its window, but keep another window, pointing to a completely different application, on different server in different DOMAIN?!

    Do try this: Login to any app that that require login and keep user’s info in session. Open a new browser, and point it anywhere completely unrelated (link to this article will do). Close original app window. Open new browser window and go to that app URL. Surprise, surprise, you’re still logged on.

    "Relying on closing the window to clear the session is not a recommended way to implement proper logoff for an application"

    Are you aware that 99.9% of all users will simple close browser window instad of going thru logout process even if it takes only one click?  And in many scenarious, including one above – they will stay logged in.

  11. Bruce says:

    Is there a method to code around this or a setting in web services? My enterprise folks want to allow this but I don't because of the way my applications act.

  12. kasiviswanathan says:

    Hi,

    Can we call the following JS function in body's Onbeforeunload  event?

    function handleUnload()

           {

            if((window.event.clientX < 0) || (window.event.clientY < 0))
    
            { //if close window
    
                document.location = "Logout.asp"
    

               }

           }

    and clear all session cookies information?

    It works as expected. but will there be any issues?

    The above JS only tested for IE browser

    Regards,

    Visu

  13. Jonno says:

    Is it possible to have a web page that programmatically links to another website while ensuring a new browser session is spawned?

  14. NKrishnan says:

    window.open with a window name should target the same window always.

    But on IE8 with File – New Session it ignores the target window name and opens a new

    window. Why its not opening in the same window. eg. window.open("http://www.google.com","win");

  15. Nick says:

    Hey JB,

    Go to HKEY_CURRENTUSERSoftwareMicrosoftInternet ExplorerMain

    Then right click on the folder "Main" and go to New, then DWORD. Call it FrameMerging and make sure the value is set to 0.

  16. Thabile says:

    is it not possible to use the old way of untick reuse windows for launching Shortcuts(when tabbed browsing is off)

  17. Sreek says:

    Adding 'FrameMerging' key does not work when I launch the page from 'Frequent List' in windows 7, anyone has solution to it.

  18. Johar says:

    Is it possible to invoke a java script (or similar action) to force the client to take the same action as "File -> New Session"? If so, could you detail how this would be done?

  19. Neena says:

    Hi,

    I am facing one problem in my project. The scenario is, I have 2 different applications which are running on the same host and webserver but on diffrenet application servers. The problem is that when I logoff from one application, automatically the other also getting signed out. And to my wonder this is happening only with IE8. All the below versions dont have any issues..

    Can anyone out here help me in this regard??

  20. Nikki says:

    Hi there, hope someone can help.  I'm having a siteminder issue with IE8.  I use multiple sites simultaneously that require my credentials & with IE8, I am automatically logged off of one site the second I open up another tab that requires a log in.  I was able to use the command "-noframemerging" to help avoid this issue when using seperate Windows, but I would like to keep one window open & utilize the Tabs instead.  It's much easier when needing 5+ sites open at once to just use tabs but unfortunatley with this issue, I can't unless I want to log in to each site EVERY time I switch back & forth between tabs.  Please help!

  21. steve says:

    using IE8 and win 7

    tried to have 2 instances of hotmail open 1 for me and one for my partner, she wanted to chech her mail and i was in the middle of composing a long mail application.

    however everytime we logged into one instance we were logged out the other.

    we even tried this on facebook but again we were logged out one account when we logged into the other.

    have tried clearing cookies and temp files but this has had no effect still getting logged out,

    any one any ideas?

  22. josh says:

    I've tried all of your examples above, but I cannot get "Run iexplore.exe -> New Session" to create session.  After opening 2 windows, go to the Tools  | Developer Tools (F12).  Then click on the Cache | View Cookie Information, then search for the JSESSIONID, you will find that they are the same (at least they are for me).  I'm not sure how to work around this, my clients want to be able to edit in two different sessions.

  23. AxelRMSFT says:

    Please review blogs.msdn.com/…/ie8-and-reliability.aspx for more information about the changes.

  24. osa1980 says:

    dears FrameMerging doesn't work with IE8 in our PCs,

    I have windowsXPSP3 and Windows7 SP1 and I'm getting the same so please anyone has solution to help as all options from microsoft don't work with opening segregate sessions or what we call it no framemerg

  25. AxelRMSFT says:

    @osa1980 – Did you try the commnad switch?

    Exmaple: "C:Program Files (x86)Internet Exploreriexplore.exe" -noframemerging

  26. Dee0123 says:

    On XP or WIN7, What I have experienced is as follows.

    1. File > New Sesion or  iexplore.exe -nomerge

    blogs.msdn.com/…/session-cookies-sessionstorage-and-ie8.aspx

    1. If you open  an application in IE session, one that authenticates the user id in the session. Then, try to launch a URL survey from same application (clicking with mouse) which uses a different id, the URL fails, because an existing user is already logged in.
    2.  If you open a an application is IE session one that authenticates the user id is session. Then File>New Session – Then, try to launch a URL survey from same application (clicking with mouse) which uses a different id, the URL fails, because the clicking of the mouse (os ) is looking for the 1st session opened.

    3.  If you open a an application is IE session one that authenticates the user id is session. Then File>New Seesion – Then, try to launch a URL survey from same application (by copy paste), works.

    4.  If you open 2 new session, and in second session – open a an application is IE session one that authenticates the user id is session. Then, try to launch a URL survey from same application (clicking with mouse) which uses a different id, the URL works, because the clicking of the mouse (os ) is looking for the 1st session opened.

    What is the work around, to have the clicking on URL , start is the last session openned?

  27. Sathish R says:

    Hi, Can anyone please help me on this issue ??

    Am not able to open "New Session" in Internet explorer 32-bit. But i can open in 64 bit IE.

    Kindly give me any fix. Thanks.

  28. Bobby Chua says:

    I'm having the same issue as Sathish.  

  29. AxelRMSFT says:

    Try using the -private (in private) and noframemerging switches from a shortcut.

    • Right Click on your Desktop and select New / Shortcut / Browse to:
    • C:Program Files (x86)Internet Exploreriexplore.exe

    • click on Next

    • Give it a name, like Private / Nosession

    • Finish

    • Right click on the shortcut

    • Select property

    • Add the following switches at the end: -private -noframemerging

        –  It should look like this:  "C:Program Files (x86)Internet Exploreriexplore.exe" -private -noframemerging

    • Whenever you want to login using multiple user for the same mail provided, like Hotmail, use the shortcut.

Skip to main content