WebApp Sec mailing list archives
Re: Encrypted URL
From: Jeremiah Cornelius <jeremiah () nur net>
Date: Mon, 2 Feb 2004 08:46:19 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 02 February 2004 07:43, Dean Saxe wrote:
It appears that MSIE, depending on how its installed, will sometimes share session cookies between browsers, causing what you describe below. Other times it will not share those session cookies, effectively allowing multiple browser windows to access a single app and differentiate between them. Unfortunately, this appears to be an option at installation and I don't know if it can be changed on the fly through registry settings or preferences. If it can be changed it would save me a lot of headaches with end users and QA. ;-)
Dean, There is a "Folder Options" setting in MS Explorer, which enforces running each window spawned in its own process. See the attached .jpeg. Also - opening a second copy of IE from a shortcut, from the desktop item, or from a menu SHOULD start an independent IE session: no cookie sharing. You will generally share environments when a second IE is opened by: - - Scripts on a page - - Right-clicking to "Open in a New Window" - - Selecting "FILE --> Open --> New Window" I would have to test to see if these actions are affected by changing the Explorer folder options for running own processes. I suspect not - there are all kinds of potential browser security problems in allowing IPC between browser windows which are retrieving content from potentially DIFFERENT zones of trust. - --Jeremiah Cornelius -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAHn7bJi2cv3XsiSARAtI3AJwIsXmrySfMFMOxhr4pINvKWI731QCg5Jgh o71EDwJpGobyYS8GWGQHUzs= =+PZF -----END PGP SIGNATURE-----
Current thread:
- Re: Encrypted URL, (continued)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
- RE: Encrypted URL scott wood (Jan 30)
- Re: Encrypted URL Mark Curphey (Jan 30)
- Re: Encrypted URL gcb33 (Jan 31)
- RE: Encrypted URL Scovetta, Michael V (Jan 31)
- Re: Encrypted URL Erik Kangas (Jan 31)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- Re: Encrypted URL Fred van Engen (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Brecrost Jones (Feb 02)