Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Possible IE 6 Bug - Differences Between Windows Explorer And IE

Reply
Thread Tools

Possible IE 6 Bug - Differences Between Windows Explorer And IE

 
 
Kevin Watkins
Guest
Posts: n/a
 
      04-16-2004
Hi,

Apologies for cross posting like this, but I wasn't sure on the best
group to post to and I didn't receive much of a response to my
original email in microsoft.public.dotnet.framework.aspnet.security.
My application currently has a rather large security hole in it which
I need help with as soon as possible.

My original post can be found at
http://groups.google.co.uk/groups?hl...ing.google.com

Basically the problem is a difference in behaviour between going to a
URL by loading up IE via its icon, and by going to a URL by typing it
into the Windows Explorer address bar.

My application uses ASP.NET. It records information in the Session
variable and uses forms authentication to log in. The code for a
simple test application to demonstrate all this is included in my
original post.

Firstly I go to my app by loading up IE by clicking its icon then
entering the URL in the address bar. I log in, then close the browser
window. If I then open a new instance of IE in the same way and go
back to the site I am logged out as you'd expect, because my session
has ended. Everything works correctly and I'm a happy bunny.

However, if I enter the URL into the address bar of a Windows Explorer
window (E.g. double click on 'My Computer' and use the window that
comes up) my site displays in the window. I log in, then close the
window. If I then enter the URL into another Windows Explorer address
bar, I haven't been logged out. My session remains and my forms
authentication still holds.

Looking into this further, I believe this is due to session cookies
being held in memory. When I load up IE I get an iexplore.exe process
showing in task manager. Presumably the session cookies are held in
the memory space of this process, so when I close my IE window, the
process ends, the cookies are destroyed and my session/authentication
is therefore lost.

However, when I enter the URL into Windows Explorer, it does not
launch an iexplore.exe process. I'm therefore guessing that the
session cookies are held in the memory space of explorer.exe. As this
process never ends, the session cookies never die and my
session/authentication information is never lost.

In a related issue, if I open a popup using JavaScript from my site
when it has been accessed via Windows Explorer, an iexplore.exe
process is launched for the new window. The session/authentication
information is not carried through to this new window, I'm guessing
because the in memory cookies aren't copied to the new process.

Now I hope I'm being a muppet and have not set up something correctly
in ASP.NET or IIS. I tried setting the cookieless property in the
sessionState node in Web.Config to true, but still had the problem. I
have tested the website locally and on three different remote servers.
I have tested this on XP and 2000 running IE6, and on 2000 running
IE5.5. The bug only seems to happen under IE5.5, which makes me think
it might be a bug in IE 6.

Has anyone experienced anything similar? I would be grateful for any
help in solving this problem, as currently I have a big security hole.
If a user enters my site via Windows Explorer and then doesn't log
out, then another user could come along, use their PC, go to my site
via Windows Explorer and obtain the previous user's access rights.

I currently have a JavaScript onunload to log the user out if the
window closes, but this is not 100% perfect and is certainly not
ideal! So any help would be really appreciated!!!

Thanks,

Kev

http://www.velocityreviews.com/forums/(E-Mail Removed)
 
Reply With Quote
 
 
 
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      04-16-2004
Hi Kevin,

This is not a bug in any version of the browser. This is by-design. One
process cannot access the memory for another process. As you have seen,
when you browse a URL via a Windows Explorer window, it will browse that
URL via the explorer.exe process. If you then open a new window, it will
launch a new iexplore.exe process, and that iexplore.exe process cannot
access the memory space for the explorer.exe process.

There is a way that you can force the process to not cache credentials in
this scenario. Open an Explorer window and click on Tools, Folder Options.
Click the View tab and select the option to "Launch folder windows in a
separate process." After you check that, restart the computer. Now
credentials will no longer be cached after the Windows Explorer window is
closed and a new one opened.

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
(E-Mail Removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------
>From: (E-Mail Removed) (Kevin Watkins)
>Newsgroups:

microsoft.public.internet.explorer.ieak,microsoft. public.dotnet.framework.as
pnet.security,microsoft.public.dotnet.security
>Subject: Possible IE 6 Bug - Differences Between Windows Explorer And IE
>Date: 16 Apr 2004 10:43:23 -0700
>Organization: http://groups.google.com
>Lines: 75
>Message-ID: <(E-Mail Removed) >
>NNTP-Posting-Host: 81.133.246.107
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Trace: posting.google.com 1082137403 2791 127.0.0.1 (16 Apr 2004

17:43:23 GMT)
>X-Complaints-To: (E-Mail Removed)
>NNTP-Posting-Date: Fri, 16 Apr 2004 17:43:23 +0000 (UTC)
>Path:

cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed 00.sul.t-online.de!t-onlin
e.de!news.glorb.com!postnews1.google.com!not-for-mail
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 9663
microsoft.public.dotnet.security:5748
microsoft.public.internet.explorer.ieak:13152
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Hi,
>
>Apologies for cross posting like this, but I wasn't sure on the best
>group to post to and I didn't receive much of a response to my
>original email in microsoft.public.dotnet.framework.aspnet.security.
>My application currently has a rather large security hole in it which
>I need help with as soon as possible.
>
>My original post can be found at
>http://groups.google.co.uk/groups?hl...204be.04040510

28.1275a59b%40posting.google.com
>
>Basically the problem is a difference in behaviour between going to a
>URL by loading up IE via its icon, and by going to a URL by typing it
>into the Windows Explorer address bar.
>
>My application uses ASP.NET. It records information in the Session
>variable and uses forms authentication to log in. The code for a
>simple test application to demonstrate all this is included in my
>original post.
>
>Firstly I go to my app by loading up IE by clicking its icon then
>entering the URL in the address bar. I log in, then close the browser
>window. If I then open a new instance of IE in the same way and go
>back to the site I am logged out as you'd expect, because my session
>has ended. Everything works correctly and I'm a happy bunny.
>
>However, if I enter the URL into the address bar of a Windows Explorer
>window (E.g. double click on 'My Computer' and use the window that
>comes up) my site displays in the window. I log in, then close the
>window. If I then enter the URL into another Windows Explorer address
>bar, I haven't been logged out. My session remains and my forms
>authentication still holds.
>
>Looking into this further, I believe this is due to session cookies
>being held in memory. When I load up IE I get an iexplore.exe process
>showing in task manager. Presumably the session cookies are held in
>the memory space of this process, so when I close my IE window, the
>process ends, the cookies are destroyed and my session/authentication
>is therefore lost.
>
>However, when I enter the URL into Windows Explorer, it does not
>launch an iexplore.exe process. I'm therefore guessing that the
>session cookies are held in the memory space of explorer.exe. As this
>process never ends, the session cookies never die and my
>session/authentication information is never lost.
>
>In a related issue, if I open a popup using JavaScript from my site
>when it has been accessed via Windows Explorer, an iexplore.exe
>process is launched for the new window. The session/authentication
>information is not carried through to this new window, I'm guessing
>because the in memory cookies aren't copied to the new process.
>
>Now I hope I'm being a muppet and have not set up something correctly
>in ASP.NET or IIS. I tried setting the cookieless property in the
>sessionState node in Web.Config to true, but still had the problem. I
>have tested the website locally and on three different remote servers.
>I have tested this on XP and 2000 running IE6, and on 2000 running
>IE5.5. The bug only seems to happen under IE5.5, which makes me think
>it might be a bug in IE 6.
>
>Has anyone experienced anything similar? I would be grateful for any
>help in solving this problem, as currently I have a big security hole.
>If a user enters my site via Windows Explorer and then doesn't log
>out, then another user could come along, use their PC, go to my site
>via Windows Explorer and obtain the previous user's access rights.
>
>I currently have a JavaScript onunload to log the user out if the
>window closes, but this is not 100% perfect and is certainly not
>ideal! So any help would be really appreciated!!!
>
>Thanks,
>
>Kev
>
>(E-Mail Removed)
>


 
Reply With Quote
 
 
 
 
Kevin Watkins
Guest
Posts: n/a
 
      04-19-2004
> Hi Kevin,
>
> This is not a bug in any version of the browser. This is by-design. One
> process cannot access the memory for another process. As you have seen,
> when you browse a URL via a Windows Explorer window, it will browse that
> URL via the explorer.exe process. If you then open a new window, it will
> launch a new iexplore.exe process, and that iexplore.exe process cannot
> access the memory space for the explorer.exe process.
>
> There is a way that you can force the process to not cache credentials in
> this scenario. Open an Explorer window and click on Tools, Folder Options.
> Click the View tab and select the option to "Launch folder windows in a
> separate process." After you check that, restart the computer. Now
> credentials will no longer be cached after the Windows Explorer window is
> closed and a new one opened.


Hi,

Thanks for your reply. I have just tested this again under IE5.5 and I
get different behaviour. The 'Launch folder windows in a separate
process' isn't ticked, yet the credentials do not get cached when I
shut the Windows Explorer window with my site in.

I can understand this being by design, but may I ask what the
rationale is? The design appears to have changed from 5.5 to 6
according to my simple tests, and surely not launching an iexplore.exe
process from Windows Explorer makes everything less secure? (In that
another user could gain access to the PC and gain login credentials,
whereas they couldn't if an iexplore.exe was launched) Especially
seeing as this box is not ticked by default.

I'm still thinking there must be a solution to this though. I cannot
get all my users to tick that box, because most of them won't and
people may login using public computers anyway. Many other sites I use
on the internet don't suffer from this problem, so I'm assuming there
must be something I can do to my site to plug this security hole? Is
there anything you can think of that might help?

Thanks,

Kev
 
Reply With Quote
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      04-19-2004
Hi Kev,

I'm not sure why you would see different behavior between IE 5 and 6. You
might want to post this question in the IE Client newsgroup for input
there.

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
(E-Mail Removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------
>From: (E-Mail Removed) (Kevin Watkins)
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Subject: Re: Possible IE 6 Bug - Differences Between Windows Explorer And

IE
>Date: 19 Apr 2004 02:00:14 -0700
>Organization: http://groups.google.com
>Lines: 41
>Message-ID: <(E-Mail Removed) >
>References: <(E-Mail Removed) >

<aFIb0t#(E-Mail Removed)>
>NNTP-Posting-Host: 81.133.246.107
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Trace: posting.google.com 1082365215 17082 127.0.0.1 (19 Apr 2004

09:00:15 GMT)
>X-Complaints-To: (E-Mail Removed)
>NNTP-Posting-Date: Mon, 19 Apr 2004 09:00:15 +0000 (UTC)
>Path:

cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFT NGP08.phx.gbl!newsfeed00.s
ul.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!p
ostnews1.google.com!not-for-mail
>Xref: cpmsftngxa10.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 9669
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>> Hi Kevin,
>>
>> This is not a bug in any version of the browser. This is by-design.

One
>> process cannot access the memory for another process. As you have seen,
>> when you browse a URL via a Windows Explorer window, it will browse that
>> URL via the explorer.exe process. If you then open a new window, it

will
>> launch a new iexplore.exe process, and that iexplore.exe process cannot
>> access the memory space for the explorer.exe process.
>>
>> There is a way that you can force the process to not cache credentials

in
>> this scenario. Open an Explorer window and click on Tools, Folder

Options.
>> Click the View tab and select the option to "Launch folder windows in a
>> separate process." After you check that, restart the computer. Now
>> credentials will no longer be cached after the Windows Explorer window

is
>> closed and a new one opened.

>
>Hi,
>
>Thanks for your reply. I have just tested this again under IE5.5 and I
>get different behaviour. The 'Launch folder windows in a separate
>process' isn't ticked, yet the credentials do not get cached when I
>shut the Windows Explorer window with my site in.
>
>I can understand this being by design, but may I ask what the
>rationale is? The design appears to have changed from 5.5 to 6
>according to my simple tests, and surely not launching an iexplore.exe
>process from Windows Explorer makes everything less secure? (In that
>another user could gain access to the PC and gain login credentials,
>whereas they couldn't if an iexplore.exe was launched) Especially
>seeing as this box is not ticked by default.
>
>I'm still thinking there must be a solution to this though. I cannot
>get all my users to tick that box, because most of them won't and
>people may login using public computers anyway. Many other sites I use
>on the internet don't suffer from this problem, so I'm assuming there
>must be something I can do to my site to plug this security hole? Is
>there anything you can think of that might help?
>
>Thanks,
>
>Kev
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DEVELOP THE WINNING EDGE, SMALL DIFFERENCES IN YOUR PERFORMANCE CANLEAD TO LARGE DIFFERENCES IN YOUR RESULTS Home_Job_opportunity C Programming 0 01-14-2009 03:51 PM
DEVELOP THE WINNING EDGE, SMALL DIFFERENCES IN YOUR PERFORMANCE CANLEAD TO LARGE DIFFERENCES IN YOUR RESULTS Home_Job_opportunity C Programming 0 01-08-2009 04:31 PM
What are the major differences between Windows Server 2003 and Windows SBS ? Steve Benson Computer Support 3 08-24-2005 10:37 PM
Forms Authentication and Differences Between Windows Explorer and IE Kevin Watkins ASP .Net Security 2 04-08-2004 10:41 AM
Re: DIFFERENCES between NETSCAPE and EXPLORER when programming (HTML) Lars Andersen HTML 0 02-01-2004 11:50 PM



Advertisments