[thelist] Free Tip - just discovered

Ken Schaefer ken.schaefer at gmail.com
Tue Aug 24 18:38:31 CDT 2004


On Tue, 24 Aug 2004 09:33:45 -0500, Rob Smith <rob.smith at thermon.com> wrote:
> Out of curiosity with sessionID's in ASP, I did a quick test:
> 
> <tip type="ASP Session ID's" author="Rob.Smith">
> The same session.sessionID is maintained on your pages for your browser
> during one continuous session, INCLUDING the pages contained in iframes.
> They too have the same session ID, not different ones.
> </tip>

Well, this is correct, and incorrect at the same time. You are
ascribing behaviour to a certain property, when that property doesn't
really have anything to do with the behaviour.

ASP Session state is maintained by round tripping a session identifier
via a cookie. The browser needs to return this cookie to the server,
and the server needs to validate that the contained session identifier
is valid, and has not expired.

So, whether the browser returns a cookie to the server depends on the
rules regarding cookie security - /if/ the server that the iframe is
being requested from is the same as the server that set the cookie,
then the cookie will be returned. If the FQDN is something else, then
the cookie will not returned. Whether the page is contained within an
iframe or not is irrelevant.

> <snip>
> Additionally, the user's browser can be configured so that new instances
> (either through a link, window.open, or CTRL-N) will either perpetuate the
> current session or start a new one.
> </snip>
> 
> Out of shear curiosity, how is this accomplished?

There used to be an option that could be set in the Internet Explorer
GUI - "Browse in a new process". IIRC this was last seen in Internet
Explorer 4 (and possible IE 5 if you upgraded from IE4 to IE5). When
this option was selected, opening new windows would cause a new
iexplore.exe process to be launched. Since ASP's session cookies are
"in memory" (non-persistant) cookies, and processes do not share
memory space, the new process could not access any of the in-memory
cookies of the spawning process.

IIRC (I'm not 100% sure about this) for backwards compatibility, the
registry key that controlled this behaviour can still be set if you
want to, but there is no longer any option in the IE options GUI in
IE5 or IE6 to toggle this behaviour.

Opening new windows from within an existing instance of IE causes the
windows to load within the same process. Using a desktop shortcut to
IE, or a link of the Programs menu causes a new process to launch.

Hope this helps

Cheers
Ken


More information about the thelist mailing list