views:

346

answers:

3

I need to open a second browser window or tab, but it must have a different session ID.

Opening the new browser window from an ASP.NET page is easy, but then it shares the same cookie and thus session ID with the original.

How can I do this?

A: 

I don't think there is a way of doing this, because Cookies are stored at the browser level - however many windows you open, you'll still have the same Cookie, and hence the same session.

Perhaps it is possible if you use Cookieless sessions, I'm not sure, although there's quite a few disadvantages to the cookieless sessions route.

edit: Depending on your circumstances, one way to achieve what you're trying to achieve might be to have several different domain names/urls that all point to the same ASP.NET site, that will allow you to keep the cookies and sessions separate. But if you need more than 2 or 3 sessions per browser then thats going to get silly.

codeulike
nope, it legacy systems, so I cannot change the site to run cookieless
Daniel Brink
jip, multiple different urls to the site does allow me to create new sessions, but its to limited
Daniel Brink
cookieless sessions make it a lot easier to do session fixation attacks, ESPECIALLY in asp.net, where you can't manually create a new session at login http://blogs.sans.org/appsecstreetfighter/2009/06/14/session-attacks-and-aspnet-part-1/
Matt Briggs
+3  A: 

This is a browser limitation - browsers instances share cookie data (including session cookie) when they are running, so this is not possible with your standard browser.

If you have an option of running different browsers (IE and Firefox, for instance) they do not share cookies and will have different sessions.

Edit:

If you have control over IIS host headers and DNS in your environment, you may be able to use many different domain names - one per session.

The browser will treat each domain name as a different server and different cookies (and therefore sessions) will be created.

Oded
Yes, I know that, but what are the hacks around it. When I change the domain to the ip address when opening the new window it does give me a second session wich is cool, but then I'm limited to only 2 sessions. There must be better ways to get around the problem.
Daniel Brink
@Daniel: You could setup IIS so that you could use `a.domainname.com`, `b.domainname.com`. `c.domainname.com`, etc. This way you have unlimited sessions.
Aaron
yes, but thats a bit extreme, there must a surely be clientside solution to this problem
Daniel Brink
@Daniel - not without fundamental changes to the infrastructure of the internet or massive changes to the browser codebase...
Oded
A: 

In IE you have to use File - New Session or there is a registry key you can set for tabs / sessions. Your tabs will change color showing you which session you are using.

James Westgate
nope, you cannot ask everyone to go change their registry settings, doubt that many even know how to do that
Daniel Brink
If you work in a corporate environment like I do the IT department roll this change out automatically - so its a good solution for a intranet based application.
James Westgate