IE8在弹出窗口中丢失会话Cookie [英] IE8 losing session cookies in popup windows
问题描述
我们有一个使用Forms Auth的ASP.NET应用程序。当用户登录时,会生成会话ID Cookie和Forms Auth凭单(存储为Cookie)。这些是会话Cookie,而不是永久Cookie。
一旦用户登录,会弹出一个新窗口,使用 window.open('location here'); 。打开的页面实际上是用户在其他会话中工作的工作区。从这个页面,也使用其他弹出式窗口。
最近,我们有一些客户(都使用最新版本的IE8)抱怨,登录后,初始弹出窗口会将其返回到登录屏幕,而不是其首页。或者,用户有时可以登录,进入主页(这再次在一个新的弹出窗口),这一切似乎很好,直到创建任何额外的弹出窗口,它开始重定向到登录屏幕
在尝试解决问题时,我使用了好的老Fiddler。当问题开始显现时,我注意到浏览器没有发送ASP.NET会话ID会话cookie或Forms Auth票据会话cookie,即使对POST中的日志的响应清楚地推下这些cookie。 p>
更奇怪的是,如果我CTRL + N从弹出窗口中打开一个缺少会话cookie的新窗口,然后手动键入主页的URL ,那些饼干奇迹般地再次出现。但是,后续的 window.open(); 调用将继续被破坏,不发送会话cookie并将用户带到登录屏幕。
重要的是要注意,有时,似乎没有什么好的理由,那些相同的用户可以突然登录并正常工作一段时间,然后它会回到破碎。
现在,我确保没有浏览器插件,插件,工具栏等正在运行。我已将我们的网站添加为受信任的网站,并将安全设置删除为低,我已修改Cookie隐私政策为接受所有,甚至禁用自动策略设置,手动强制它接受一切,并包括会话Cookie。没有任何内容会影响它。
还请注意,Web应用程序驻留在单个服务器上。没有负载平衡,web园,服务器场,集群等。服务器位于ISA服务器的后面,但除此之外,它很简单。
I已经搜索了好几天,还没有找到任何可行的。哎哟,有时我甚至不能可靠地再现。我发现几个引用的人有这个相同的问题,但他们似乎指的是一个问题,据称固定在beta或RC版本(例如: IE8在重定向后打开新窗口时会丢失Cookie )。这些是IE的发布版本,包含最新的修补程序。
我知道我可以尝试设置永久Cookie而不是会话Cookie。但是,这对我们的应用程序有很大的安全隐患。
更新
似乎问题自动消失当用户作为本地管理员添加到计算机上时。只有时间才会告诉这个改变是否会永久性地(并且肯定地)影响这个问题。
赶上ProcMon,看看是否有资源访问问题。
更新#2
似乎存在多个角度,似乎是一个奇异的问题。我很久以前报告说,让用户成为本地管理员似乎有帮助。它做了,为一些用户。当然,这不是一个真正的解决方案,但它确实让我们随波逐流。
然后更多的用户开始报告问题,而管理员的修复没有帮助。用户似乎主要是Win7,但Vista也受到影响。他们似乎大多是64位的安装。
根据下面的一些成员的建议,将TabProcGrowth设置为0或1(工作)似乎已经解决了这个问题。因此,我将把接受的答案移动给第一个建议的人,因为它产生了更大的影响。
这是一个令人难以置信的令人沮丧的问题尝试解决,因为它是很难重现,经常发生与用户,我没有直接的沟通,或者当我得到他们,它似乎没有工作。我可以说是一些不正确的会话合并功能,但我没有太多的数据,供给微软找到永久修复。
这是IE8中的新功能!
检查下面的IE8博客以了解它。
IE8可以使用多个进程来处理x号的IE视窗。当你跨过一个进程空间,你松开你的cookie(Asp.Net会话ID似乎保留在这个过程界限)。
我个人认为它坏了或一个错误。我们知道,当浏览到同一个域目标时,Cookie应该保留并重新发送。那IE8有不同的处理行为安全..好!即使在另一个窗口中访问同一个目标域也会丢弃Cookie只是我的一个错误。
您可以修改进程IE8使用通过互联网浏览器选项ehh ..修改注册表设置!!!!!! (这是什么使得它在我的视图中的一个错误。IE提供了一个UI来修改这些设置将使其企业级可接受。
注意,
Marvin Smit
We have an ASP.NET application that uses Forms Auth. When users log in, a session ID cookie and a Forms Auth ticket (stored as a cookie) are generated. These are session cookies, not permanent cookies. It is intentional and desirable that when the browser closes, the user is effectively logged out.
Once a user logs in, a new window is popped up using window.open('location here');. The page that is opened is effectively the workspace the user works in throughout the rest of their session. From this page, other pop-ups are also used.
Lately, we've had a number of customers (all using latest versions of IE8) complaining that the when they log in, the initial pop-up takes them back to the log in screen rather than their homepage. Alternately, users can sometimes log in, get to the homepage (which again, is in a new pop up window), and it all seems fine, until any additional pop-ups are created, where it starts redirecting them to the log in screen again.
In attempting to troubleshoot the issue, I've used good old Fiddler. When the problem starts manifesting, I've noticed that the browser is not sending up the ASP.NET session ID session cookie OR the Forms Auth ticket session cookie, even though the response to the log in POST clearly pushes down those cookies.
What's more strange is if I CTRL+N to open a new window from the popped-up window that is missing the session cookies, then manually type in the URL to the home page, those cookies magically appear again. However, subsequent window.open(); calls will continue to be broken, not sending the session cookies and taking the user to the log in screen.
It's important to note that sometimes, for seemingly no good reason, those same users can suddenly log in and work normally for a while, then it goes back to broken.
Now, I've ensured that there are no browser add-ons, plug-ins, toolbars, etc. are running. I've added our site as a trusted site and dropped the security settings to Low, I've modified the Cookie Privacy policy to "accept all" and even disabled automatic policy settings, manually forcing it to accept everything and include session cookies. Nothing appears to affect it.
Also note the web application resides on a single server. There is no load balancing, web gardens, server farms, clusters, etc. The server does reside behind an ISA server, but other than that it's pretty straight forward.
I've been searching around for days and haven't found anything actionable. Heck, sometimes I can't even reproduce it reliably. I have found a few references to people having this same problem, but they seem to be referencing an issue that was allegedly fixed in a beta or RC release (example: IE8 loses cookies when opening a new window after a redirect). These are release versions of IE, with up-to-date patches.
I'm aware that I can try to set permanent cookies instead of session cookies. However, this has drastic security implications for our application.
Update
It seems that the problem automagically goes away when the user is added as a Local Administrator on the machine. Only time will tell if this change permanently (and positively) affects this problem.
Time to bust out ProcMon and see if there is a resource access problem.
Update #2
It seems there are multiple angles to what appears to be a singular problem. I reported long ago that making the user a local administrator seemed to help. And it did, for a number of users. Of course, that's not really a solution, but it did let us hobble along.
Then more users started reporting the issue, and the admin fix was not helping. The users seemed to be mostly Win7, but Vista was also affected. They also seemed to mostly be 64-bit installations.
Setting the TabProcGrowth to 0 or 1 (either worked) as suggested by some members below seems to have largely addressed the issue. So, I'm going to move my accepted answer to the first person that suggested that, as it has had significantly more impact.
This has been an incredibly frustrating issue to attempt to solve, since it is difficult to reproduce and often occurs with users that I do not have direct communication with, or by the time I get to them it doesn't appear to be working. All I can say is something is not right with the session merging feature, but I don't have much data to feed to Microsoft to find a permanent fix.
This is 'new' functionality in IE8!
Checkj out the IE8 blog below to read about it.
IE8 can use multiple processes for handling an x number of IE windows. When you cross a process space, you loose your cookies (Asp.Net session ID seems to be retained over this process boundry).
I personally think it's broken or a bug. As we know, when browing to the 'same domain target' cookies should be maintained and resent. That IE8 has different processing behavior for security.. Great! that it is behaving badly and 'drops cookies even if going to the same target domain in another window' is just a bug in my view.
You can modify the number of processes IE8 uses through the internet explorer options ehh.. modifying a registry setting!!!!!! (this is what makes it a bug in my view. IE providing a UI to modify these settings would make it 'enterprise level acceptable'.
Regard,
Marvin Smit
这篇关于IE8在弹出窗口中丢失会话Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
