Session Cookies, sessionStorage, and IE8 or “How can I log into two webmail accounts at the same time?”


For Internet Explorer 8, we’ve made browser session handling a lot simpler.  For instance, say you want to have two Hotmail windows open, each logged into a different account.  Simply click the New Session item on the File menu, and a new browser window will open.  The new browser window will not share session cookies with the original browser window, so you can log into Hotmail (and most web applications) as a different user.  For command line junkies, you can run iexplore.exe with the -nomerge parameter.

In contrast, if you click New Window, New Tab, or Duplicate Tab on the File menu, or click on a desktop shortcut, the new tab or window will share session cookies with the original tab.  This is called “session merging.”

Why do browsers implement Session Merging?

Proper support for Session Merging is important because most web applications are written to expect it.  For instance, when a web application opens a popup window, it usually does so with the expectation that the popup window will share cookies with the main window, so that the user will remain logged in and their preferences will remain available, etc.  Similarly, when the user uses the Duplicate Tab command, they reasonably expect the new tab to show them the same content as the original tab– sharing cookies is critical for that scenario to work correctly. 

On the other hand, the authors of the HTML5 draft noted that cookie sharing across windows and tabs can introduce some problems:

For example, a user could be buying plane tickets in two different windows, using the same site. If the site used cookies to keep track of which ticket the user was buying, then as the user clicked from page to page in both windows, the ticket currently being purchased would “leak” from one window to the other, potentially causing the user to buy two tickets for the same flight without really noticing.

For that reason, the HTML5 sessionStorage feature is designed such that even tabs within the same browser session have independent storage objects.  If you change a sessionStorage attribute’s value in one tab, that change won’t be reflected within another tab, even within the same browser session.  In contrast, the localStorage attribute behaves more like a persistent cookie—changes to localStorage attribute’s values are reflected in all browser tabs within all active (and future) browser sessions.

I’ve created a simple test page which you can use to explore session merging and IE8’s New Session option.

-Eric Lawrence

Update 1/11/2010: Someone recently asked if there’s a way to start a “NoMerge” session via the CoCreateInstance COM API rather than by directly executing iexplore.exe with the command line parameter. Unfortunately, that scenario is not presently supported. In contrast, the IELaunchURL API always launches IE using the NoMerge option. 

Comments (37)

  1. Ben says:

    Good feature – but why is it only on the File menu which is hidden by default?

    Surely it should be replicated on the Command Bar – in Tools or Page?

    It also doesn’t seem to have a keyboard shortcut?

    How is anyone going to find it unless they know it is there?

  2. dhan says:

    Is this available from command bar? I am used to keeping menubar off which is default since IE7. Isn’t it weird that IE team is now suggesting to use menubar and command bar? There is no shortcut assigned to it as well.

  3. Tony says:

    So…can you tell me where to get the admx and adm templates for IE8?

    Thanks

  4. Squire says:

    @dhan: Even if the menu bar isn’t shown, ALT+F, I, Enter will invoke New Session.

    If you use it enough that you find the above cumbersome, then create shortcut on your desktop to "C:Program FilesInternet Exploreriexplore.exe" -nomerge and assign it a Shortcut key or add the shortcut to your Quick Launch Toolbar.

  5. Lawrence says:

    How about a keyboard shortcut for this?

  6. Will Peavy says:

    I like this handling, but also am wondering the same thing as some others who posted above: Why no keyboard shortcut for new sessions?

  7. MD says:

    With or without the File Menu enabled, you can still Alt-F to activate the File menu.

    With this in mind, the keyboard "shortcut" for a New Session is:

    Alt-F

    i

    Enter

  8. Wiwi says:

    so, is it only work on special webpages??

    Yet I tried it on Gmail and doesn’t work

  9. Mike says:

    Amazing the amount of screen real estate the browser takes up and this has to be accessed from the file menu.

    Interesting that you are looking at the HTML5 spec and yet have produced the only modern browser that does not support CANVAS or SVG.

    Lets have the features that developers are asking for.

  10. Xepol says:

    Uh, point of order.

    Is this the SAME file menu that is hidden by default on everyone’s user interface?

    You might want to rething that process.  Unless you change it, chances are, in 4 years no one will even remember it is there and you’ll be fielding questions about what it does about every 6 months when someone finds it and wonders what it does differently.

    At the very least, drop a copy of the New Session menu option into the tools drop down.

  11. @Wiwi: Make sure that you haven’t checked the "Remember Me" option — it uses a persistent cookie (not session-based) to authenticate you. Click "log out", and then re-log in and make sure that checkbox isn’t checked.

  12. xaml says:

    It would be useful to launch a new session even on tab level, so that one could open a new tab in a different session. Having to look through tabs and windows in new sessions is added functionality with lower user friendliness.

  13. nonW00t says:

    I would like to know why xp nukes all cookies after a system crash, forcing everything to be logged in again (and google search preferences reset, e.g.).  AND — When I save a pic in one tab, the folder is not remembered for another tab! (I get it tho because they are "isolated processes" now, but it is VERY inconvenient).  Always 1 step forward, 2 steps back with ms!!!

  14. WiWi says:

    @andyzei [MSFT] :Nice,it works now. but it not good enough, hope there is some free add-on can make me login with "Remember Me" and open a new session.

  15. Sterling says:

    Great feature! Love that now I don’t have to log out of one webmail (Gmail) account to login to another.

    Like other posters have pointed this out, ‘New Session’ is not that discoverable, in part because it’s in is hidden in the Menu bar (off by default, IIRC) and not present in any Command Bar option, the obvious one being in Page or Tools. It would be a good idea to make this feature, a good one, BTW, more discoverable.

  16. accesine says:

    How could I use new session function in web browser controls?

    I have a mfc app , embeded in with multi-web-browser controls , I want each of them have their own session , can I?

  17. Xiao Han says:

    I am wondering this new session feature, can the new session window opened as a tab or it has to be a new IE window?

  18. EricLaw [MSFT] says:

    @Xiao Han: No, you can only open new sessions within new windows; you cannot open a new session with tabs.  There are a number of reasons for this– most of which would require lengthy explanation.

    @accesine: No, the web browser control does not expose control of sessions to the host.  You cannot (in a supported way) have multiple sessions running within one application.

    @Sterling: Thanks for the feedback.  The "New Session" command definitely isn’t a highly-visible feature, but it is one that relatively few users do find quite valuable.

    @WiWi: While someone may some day write such an addon, it doesn’t really make a lot of sense, because the entire point of a site’s "Remember me" feature is to ensure that users are automatically logged in using the same credentials, regardless of which process was used to visit a site.

    @Xepol: To answer your immediate question, no, the menus aren’t hidden by default for "everyone."

  19. xaml says:

    I had asked about the same question as Han, yet it did not seem worth being answered. Probably better so, because the "there are many lenghty reasons why not" reads just like "we would really be getting into too much work with this and in turn its a relatively moderate addition of functionality". Oh hey, ‘MSFT’ = misfit? ;-/

  20. Joe says:

    Unfortunately, "session merging" introduced literal hell into our application, and cost of hundreds of hours of development (and who knows how much money), precisely because of the airplane ticket scenario.

    I’m not sure I agree with the assertion that "most web applications are written to expect it", especially when IE didn’t behave this way previously.

    It seems to me IE8’s default behavior should have been consistent with previous versions, with the option to allow the user to use session merge if they wish.

    Or at the very least, provide a method by which a user can turn off this setting globally, perhaps with a setting somewhere in Internet Options.  Requiring non-computer-savvy users to add the "-nomerge" parameter, or attempt to find a non-visible menu item to launch a "different type" of session, just to use our application, is killing us, and increasing our support costs dramatically.

    I know you can’t meet everyone’s needs, but man, this one really hurt.

    Thanks for hearing me out.

  21. Phil says:

    @Joe: Literal hell, eh?  With the flaming pits of fire and so forth?  Neato!

    While I appreciate that you took the time to describe your problem in at least a tiny bit of detail, you seem to have missed a few key points:

    a> EVERY browser other than IE works exactly like IE8 does, with the exception that IE8 offers a menu item to start a new session, while other browsers either don’t offer the option at all, or offer only a poorly-documented command line option.  

    So basically, you’re saying that you built an application that doesn’t work well in modern browsers.  Sounds to me like it was due for an update anyway.  

    b> I don’t know why it will take "hundreds of hours" for you to fix your problem.  You can easily write a few lines of code to just check for a mismatch between a token in sessionstorage and cookies/localstorage and point out to the user that they’re in a new window but an existing session.  You can then suggest that they open a new session if they’d like.

    c> As the original author said: session merging isn’t anything new, and all versions of IE do session merging.  

    It’s true that in past versions of IE, the mechanism in which a new session was created was different (and less reliable), but that’s it.  If you assumed that everyone knew the secret trick to get a new session (launch a new IE process), you made a pretty bad assumption.

    d> Essentially ALL web applications that use more than one window/tab (e.g. popups, etc) *do* expect that the new window/tab will be in the same session as the parent.  

    Why else do you think the HTML5 guys saw the need to provide a new mechanism which covers the cases where it’s desirable to isolate contexts?

    Good luck with those pits of flame!

  22. Joe says:

    @Phil – condescending comments aside, I didn’t miss any of those points.  It is very difficult in a small blog comment section to describe the scenario, and the reasons why your good suggestions don’t apply to our situation.

    When it comes down to it, we provide an "application" in the true sense of the word.  We have a hosted, SaaS-model environment, and users use Internet-Explorer only to access our application.  This is not a site that users browse to, like Amazon, or Facebook, or whatever.  Our core user base is not computer savvy.  If they double-click on their IE icon to start a new session, and we tell them that they are "in a new window but an existing session" it won’t make any sense to them at all and will not fly in our world.  We have to work through all of these issues programmatically from our end.

    All I can say is, if you were here and I could show you what we do, and the implications of the session merge change, and why it wasn’t an easy fix, I think you would see.  But since I can’t do that, we’ll just leave it at that.

    Thanks.

  23. Bill says:

    Joe, why not just put a HTA on the user’s desktop that launches your app?

  24. Joe says:

    @Phil: one more thing I forgot to mention, at the very least your post did lend some better insight into the reasons it was done, and those make sense, so thanks.

    @Bill: We considered and worked with an HTA for a while.  However, our #1 requirement is no footprint on the client.  It has to work anywhere, even places like an airport kiosk, internte cafes, etc.

  25. Sterling says:

    @EricLaw [MSFT]: Yeah, I see what you mean. I would use it (and have already used it) and I didn’t know about it until I read the post here.

  26. sharanyan says:

    My IE8 Passing Error, When i click Open IE8, PC got Struck, anyone suggest me?

  27. Darin Kelkhoff says:

    The reasons you give for why you’ve made a change to behavior that develoeprs and users have grown quite accustomed to for the past several years are bogus:

    "For instance, when a web application opens a popup window, it usually does so with the expectation that the popup window will share cookies with the main window, so that the user will remain logged in and their preferences will remain available, etc."

    With the old model of behavior, a popup window DID share its cookies with the main window, and the user did remain logged in, etc.  This was never broke — it didn’t need fixing.  

    "Similarly, when the user uses the Duplicate Tab command, they reasonably expect the new tab to show them the same content as the original tab– sharing cookies is critical for that scenario to work correctly."

    Exactly the same, under the old behavior, new tabs or windows launched from one process would also share cookies, and retain content/settings/etc.  

    If I had to paraphrase you’re reasing:  "We used to implement feature X (merged sessions for pages launched from each other, but in the same process).  We decided to implement feature Y (merged sessions across all processes) because we needed feature X.  However, feature Y has pitfalls (the HTML5 document), so we also had to add feature Z (File->new session)."  You already had it perfect before!  

    I can’t see the logic in this.  IE7 was the only browser out there that had this right.  Now every browser is wrong.  At least all are consistently wrong.  

    Looks like it’s back to green screens for our apps :)  

  28. IEBlog says:

    Our typical posts here are original information about the product from the people who built the product.

  29. Anonymous says:

    HTML5 support is nice… where is CSS3 support?

  30. Anonymous says:

    -no-remote was never a fantastic way to accomplish similar with firefox

    @ IE team

    this feature needs both a hotkey and a context menu entry

  31. IEBlog says:

    This post is intended for IT administrators, but more technical users might also find it useful. During

  32. FixRunas says:

    Unfortunately with this session sharing there is no way to use the RunAs command to launch IE8 as another User and have both windows active at the same time.

    Situation: In our company we are require to do day-to-day activities as a standard Domain user. During the day we launch IE under our elevated/Admin accounts make a few changes within our apps and then close IE.  Having to logout or even close the other IE windows will slow down our Workflow significantly.

    -nomerge does not work, and even using PSexec does not work.  

  33. EricLaw [MSFT] says:

    @FixRunAs: I assume you encountered the inability to use RunAs only on Windows XP?  We’re looking into this issue on that specific platform, thanks!

  34. Howdy Doody says:

    Really appreciate this info, thanks for posting it.

    We also have the same issue and Joe and Darin.  We have a private subscription based web site with a majority of folks that are not very technical.  We have issues as well when folks have been in our app, may close the tab (thinking its closed), open a new window and still bump into previous session/state.

    Granted our system was writen 5-6 years ago and we are in the process of a complete rewrite, but I did want to chime in and say certain issues are effected by this.  

    I also understand that all browers do this, but I still have a hard time understanding the "logic" on why opening a "new" window does now give me "new" session.  Tabs are fine because they are "contained" in the window.  It seems these new broswers have it backward where a new window by default should open with a new session, and have an option to open with merging.  But maybe my feeling/thinking will change over time.  Of course I am also thinking from a private site/app point of view and not a public one.

    Thanks again for taking the time to create this.

  35. Go Blue says:

    Doesn’t Work.

    I installed IE8 so I could use the "New Session" feature and open multiple gmail accounts simuultaneously.  It doesn’t work.  As soon as I open a 2nd gmail account in a screen created by file > New Session the first account gets closed.

    I have run the "simple test page" app and it handles the colors just find in multiple sessions.  It just doesn’t allow multiple gmail accounts in multiple sessions.

  36. EricLaw [MSFT] says:

    @GoBlue: I haven’t had a problem with logging into two GMail sessions simultaneously using the "New Session" feature.  

    The one important thing to keep in mind is that you cannot use the "Remember me on this computer" checkbox on the GMail login page, because when you do that, it sets a persistent cookie that will apply across all of your IE sessions.

  37. Самые вкусные консервы их тех, которые я когда-либо пробовал Хотя эта статья адресована ИТ-администраторам,