Understanding web app authentication scenario - How do they force authentication on each new browser instance?

Question

I use a web application that forces you to reauthenticate with the application even if you open a new browser window that shares the same session, e.g. File, New Window in Internet Explorer. I was surprised since I thought that if you opened a new browser window from File, New in both IE and Firefox (vs. starting a new browser process) that it would share the same session.

Using an Internet Explorer cookie viewer/editor, I saw no cookies for this application at all.

How do they likely implement this forced authentication scheme that seems to disallow new browser windows from continuing the session?

Answer 1

One common approach is to pass a session ID in the URL.

For instance, asp.net uses this approach for cookieless sesssions. URLs within the application are rewritten to contain a session ID.

Answer 2

there are two possibilities for this:

1. it's session id stored in all <a href=''> , so clicking on link automatically sends some data to server.
2. Same, but with POST queries (hidden form fields)