When a website, which requires some one to login is opened in IE7 and when links from the website are opened in new tabs, the session from the original tab will carry forward to the new tab.
The same feature, functionality, or bug, whatever you may call it is now carried forward to IE8 as well and here even a completely new instance of IE8 (not a new tab or not opened by pressing Ctrl + N)will carry the same session.
So what? Read On….
Let us take an application which is developed in ASP.NET. The application in question deals with Employee Details of XYZ Corp. The manager uses IE8 to access the application and selects an employee (let us say Mr. X) and gets into Edit Employee Details page. Here a small note is the EmployeeID is stored and retrieved from session after employee selection to avoid multiple queries/hidden fields, Etc.
At this time, the manager opens a new instance of IE8 and gets into Employee Details page of Mr. Y. He saves something (changes DOB, Etc) and saves the data. The manage toggles back to the first IE window which has details of X, changes some info there and saves. Now the data, that was actually intended to go in for X would go in for Y. because the session variable has the last selected EmployeeID and in this case it is of Y.
This can be very dangerous in mission critical applications. The reason behind this is that every new IE8 window opened will use the same Frame process and they create new tab process. As the Frame process is common across all IE windows, the Session, Cookies are common.
This has been introduced as a new ´feature’ in IE8 to address the need of one person (with one session/login) to be able work in multiple tabs/windows to effectively and easily use an application. But as described above this can cause havoc.
If you do not want the session to be carried across new IE windows, use File –>”New Session” menu item of IE8, which will open a completely new frame process and will enable you to login to applications with multiple sessions and to work across different sessions.
Programmatically in a .NET web application we can add the following line in the Config file, which will force the SessionIDs to be appended in the URLs. But this is not a very elegant solution!