Microsoft KB Archive/196383

= FIX: Windows Opened by Script Lose Authentication or Session =

Article ID: 196383

Article Last Modified on 6/21/2004

-

APPLIES TO


 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 4.01 Service Pack 1

-



This article was previously published under Q196383



SYMPTOMS
When windows are opened from script in an HTML page using window.open or ShowModalDialog, Internet Explorer responds by prompting users to enter their username and password every time a new window is created. This happens even though the user already entered a correct username and password and successfully authenticated with the Web server.

New windows may also lose Web server session information, creating a new session or reusing an older, incorrect session from a separate Internet Explorer instance.

Also, if the new window contains a Java applet that accesses static information from a class, it may not be able to share that information with an applet in another window.

These symptoms do not appear if the Windows Desktop Update is installed and the browser is not set to "Browse In New Process."



CAUSE
When asked to create new windows through script, Internet Explorer might create the window in the wrong Internet Explorer process. Because authentication credentials and the temporary cookies used for session identification are cached per process, new windows need to re-authenticate and start a new session if they don't open in the same process as their opening window.

This behavior can appear random; the determined process for new windows is dependent on several variables, including timing and browser configuration.



RESOLUTION
To resolve this problem, upgrade to the latest version of Internet Explorer or Microsoft Windows NT 4.0 Service Pack 6a (SP6a). You can download the latest version of Internet Explorer from the following Microsoft Web site:

http://www.microsoft.com/windows/ie/

Disabling the "Browse In New Process" browser setting in the Advanced tab of the Internet Options will alleviate most of the symptoms described in this article.

However, Web servers should avoid relying on this as a solution. Web sites that expect users to change browser settings will have a negative user experience, particularly when other sites require a different value for the same settings. Users in corporate environments may not even have control over this setting. Furthermore, disabling "browse in new process" can affect the stability of the system shell and some users may need to use "Browse In New Process" when they are working with pages that contain a lot of Active Content.

Note that all session-managed pages should be set to expire immediately. Some session inconsistencies can result when pages are pulled from the cache rather than from the Web server.



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article. This bug was corrected in Internet Explorer 4.01 Service Pack 2 and Internet Explorer 5.



Steps to Reproduce Behavior
  Create the following Active Server Pages (ASP) page on an Internet Information Server machine, version 3.0 or later, in a scripts directory: <%@ LANGUAGE="VBSCRIPT" %> Test for Session ID  ASP SESSION ID: <%= Session.SessionID %>  <INPUT TYPE=BUTTON ID=PushME onclick="return openwindow;" VALUE="WindowOpen"></FORM> <SCRIPT>

function openwindow {        window.open("test.asp"); }     </SCRIPT> </BODY></HTML> </li> <li>Verify that the "Browse In New Process" setting is selected in Internet Explorer on the client machine. This setting is in the Browser Settings section in the Advanced tab of the Internet Options dialog box.</li> <li>On the client machine, launch exactly one Internet Explorer instance. Navigate to the ASP page created in step 1. Click the "WindowOpen" button to execute window.open and create a new window.

Note that the ASP Session ID matches in both child and parent window.</li> <li>Create a new Internet Explorer instance by invoking Internet Explorer from the Start menu or Desktop icon. Again, navigate to the ASP page created in step 1. Click the "WindowOpen" button.

Note that the ASP Session ID does not match in both child and parent window of the new process. In some cases, this may be the session ID of the first pair of Internet Explorer windows.</li></ol>

<div class="references_section">