Understanding Session Lifetime

Back in May of last year, I discussed changes we made in Internet Explorer 8 to make the browser’s session handling behavior more predictable. Specifically, we introduced a “New Session” item on the File menu—this menu item explicitly creates a new browser session which doesn’t share session information with the existing session. From the command line, you can open a new session using the -nomerge command line option.

We also changed other codepaths to ensure that no matter what other method you use to open a new IE window or tab, e.g.:

    1. File > New Window
    2. Hit CTRL+K
    3. Hit CTRL+T
    4. Call window.open() from JavaScript
    5. Click on a link in your mail program
    6. Click a QuickLaunch shortcut
    7. Double-click on the “blue e” on your desktop

...the new window would run in the same browsing session as an existing window[1].

As I outlined in that post last year, pre-IE8 prior behavior was somewhat confusing to users who didn’t realize that they’d get a different number of active sessions depending on how they launched Internet Explorer. Beyond improving consistency, the new behavior also improves performance, and thanks to LCIE and crash recovery features, it doesn’t negatively impact reliability.

One downside to this change (or any change that’s visible to the user) is that there is a period of adjustment because some scenarios work slightly differently. When things change, the misunderstandings that users hold in their mental model of how the browser actually works are often spotlighted.

For this particular change, the most common complaint I’ve heard is “Something changed—IE8 won’t let me log out of a website anymore!?!”

When I ask for details, the scenario is always something like:

  1. Open three browser windows by clicking on the desktop icon a few times.
  2. Open a new IE browser window from the desktop.
  3. Navigate that new browser window to GMail or another mail website.
  4. Use the web mail window.
  5. Close the web mail window using the red “X” in the title bar.
  6. The user expects to be logged out.
  7. Open a new browser window or tab.
  8. Navigate that new window to the web mail site.
  9. Observe that you remain logged into the web mail site.

Now, users will try this exact set of steps on IE7 and at step #9 they will see that they are not logged in. In contrast, when they perform this set of steps in IE8, they will see that they are logged into the web mail site automatically.

What happened?

In IE7, Step #1 creates [Session1, Session2, Session3]. Step #2 creates [Session4].

In IE8, Step #1 creates [Session1], with three windows sharing just one session. Step #2 creates a fourth window in [Session1].

So, when you get to Step #5 in IE7, the window is closed and [Session4] is destroyed, so the user is logged out. In IE8, Step #5 merely destroys one window in [Session1], leaving three more windows and [Session1] still alive. Thereafter, when the user opens a new window in Step #7, that new window is opened/merged into the existing [Session1].

What very few people realize is that both IE7 and IE8 work in the same way if a small change is made in the steps:

  1. Open three browser windows by clicking on the desktop icon once and clicking File > New Window twice.
  2. Open a new IE browser window by clicking File > New Window.
  3. ...
  4. ...
  5. ...
  6. ...
  7. Open a new browser window or tab using File > New Window or File > New Tab.
  8. ...
  9. ...

In this set of steps, both IE7 and IE8 create only one browser session, and closing any one window will not log the user out.

Securely Logging Out

We’ve just learned that a browser session ends when you close the last browser window within a given browser session. So is that what you need to do in order to fully log out of a website?

There’s usually a better alternative: Click the site’s Logout button. When you do that, the site will typically expire your session on the server side, and send a command to delete your session cookie on the client side. You may still wish to close your browser windows (so someone can’t simply click “Back” to see the last pages you saw) but after you click Logout, the site should force you to log in again to make any changes or retrieve any new information.

Session Information (Not just cookies!)

A common follow-up question is: “What information is a part of a session?”

  1. Session cookies
  2. sessionStorage
  3. HTTP Authentication (e.g. Digest or Basic HTTP credentials)
  4. HTTPS Client Certificates (e.g. sites that use certificates or SmartCards)

A site can clear its own session cookies by simply sending down new cookies of the same name (and path/domain) with an expiration time in the past. To clear its own sessionStorage, the proprietary clear method can be called. To clear HTTP Authentication and HTTPS client certificates, IE6 SP1 and later support the ClearAuthenticationCache command:

 document.execCommand("ClearAuthenticationCache", false);

 

It’s worth mentioning that the ClearAuthenticationCache command clears ALL session cookies, Authentication, and Client Certificates for ALL sites running in the current session, so it’s definitely a command to execute judiciously lest you drive your site’s visitors crazy. Currently, no other major browser that supports the ClearAuthenticationCache command, although Chrome and Firefox have both acknowledged the problem and are discussing possible solutions.

Until next time,

Eric

[1] New windows will not be merged into an existing session if they are “incompatible”—e.g. we won’t merge sessions across UAC Integrity levels, and we won’t merge sessions unless options like InPrivate Browsing (-private) or No Addons Mode (-extoff) match the existing session.