Session management within Internet Explorer 8.0

Hi everyone!

Veena again, back with a discussion on session management in IE8. Many application developers expect that they lose their session when they close the IE window. So when the user launches a new instance of IE, they expect that the user is shown the login screen. However, to their surprise, this doesn’t happen automatically with IE8. IE8 is actually behaving as expected and I will attempt to explain why.

Relying on closing the window to clear the session is not a recommended way to implement proper logoff for an application. Because this clearly will not work if there is another window that is sharing the session. This has been the behavior always although our mechanics for which windows share a session has changed in IE8. For example, in IE6 and IE7, there were several ways to launch new windows, some of which gave you a new session, others of which did not.

Click IE shortcut from desktop, start->run -> New Session

  • Run iexplore.exe -> New Session
  • Click File->New Window -> Same session
  • Click “Open link in new tab” (IE7) -> Same session
  • Click “Open link in new window” ->  Same session
  • Window.open() ->  Same session

As you can see, even in IE7, closing the browser window does not guarantee that your session and credentials would be destroyed.  As you may already be aware, many architectural changes were put into IE8. One such change, was to unify the session model and improve performance.  For More information please review MSDN IE Blog Title: IE8 and Reliability - https://blogs.msdn.com/b/ie/archive/2008/07/28/ie8-and-reliability.aspx.

So what if I want the old behavior back?  Well, there are three ways available:

  • Registry key
    HKCU\Software\Microsoft\Internet Explorer\Main\FrameMerging
    0 - disable frame merging
  • Command-line switch : If the application is being launched via a desktop shortcut, the command line switch “-noframemerging” could be added to that to get the desired effect.
    • Example: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -noframemerging
  • Menu item (“File->New Session”)

In summary, having the user close the browser window has never been sufficient to ensure that the session is destroyed. If the user had another window open in the same session, then that window would still effectively be logged in. However, if the user clicks “Log off” in the application before closing the window, the application CAN clear any credentials in the session, either by deleting session cookies (if that’s the authentication mechanism), or by deleting all of the credentials in the session via document.execCommand(ClearAuthenticationCache, false). If the application code does this, the user will not need to close the window to complete the logging out process. So next time they browse to it in another window that’s sharing the session, they should see the login screen as expected.

For more information on Frame Merging, click here.

Regards,

The IE Support Team