Asp.net session gets retained even when new browser instance is created

Question

Hello,

I have an issue with session management. This is what I did.

1. I create a new instance of browser and went to the site in production which I developed.
2. It asked me to login and I logged in
3. I went to a page and saw it.
4. I took a new instance of browser again (not file->new window). I took from start menu
5. Copied and pasted the URL of an inner page
6. This time instead of showing me the login page, it showed the page directly

Somehow it is sharing the session between two browser instances even if I took it separate. My IIS version is 7.5 and runs on Windows 2008 R2 64 bit.

When I try the same case in my local box using visual studio development web server it works fine. It shows the login.

If somebody has encountered the same issue please help me.

Thanks

Answer 1

Perhaps your website is set up to use cookieless sessions. If this is the case you would see the session id embedded in the URL of the site just after the host name. One of the downsides of cookieless sessions is that a copied URL will grant access to the session of the current user.

The other possibiliy is a browser misconfiguration in which new sessions of the browser are sharing session cookies even though you don't want them to. What browser are you using?

Answer 2

I have see this happen in IE8 - I get around it by opening a new browser with File -> New Session

Answer 3

Are you missing step 4a: Close Current browser?

Also, is it really sharing the SESSION, or just login cookie? Huge difference!

Answer 4

The behavior you described is "by design."

Sessions use cookies, and by default cookies are shared among all instances of a browser. (There are some browser-specific tweaks that allow some clients to circumvent this).

If you want a different session, you will need to use a different browser: FF + IE or Opera, for example, since cookies aren't shared between different browsers.

Either that, or switch to cookieless sessions (yuck!)