views:

87

answers:

1

Does IE8 have a problem determining what protected mode state the resulant site should be in when following redirects?

We are seeing this situation when using IE8 on windows 7 in an enterprise environment.

Note:

Server A is a secure site and is listed in the users trusted sites list.

Server B is also a secure site but is not listed in the users trusted site list.

At the end of each step I have indicated whether IE is in protected mode(PM).

  1. The user loads a form on Server A and submits it. PM is Off
  2. Server A processes the submission and returns a redirect to Server B. PM is Off
  3. Server B then redirects to an alternate url on its own domain and sets a cookie delivering a page to the user. PM is Off
  4. User clicks a link to continue transaction and Server B attempts to read the cookie. PM turns ON
  5. IE8 does not send the cookie to Server B because it was set in a different protected mode.

From what I can understand, transactions commencing with Server B should immediately put the browser into Protected Mode. However, it appears that IE8 is not correctly identifying the initial mode for Server B - perhaps because of the redirects?

Looking at the cookies in IE8's developer tools I noticed they are registered against .COM.AU rather than the more specific complete domain for Server B.

I don't have permission to install Fiddler on the machine so I have used firefox to determine what transactions took place.

Matt

A: 

Caveat: It's not always safe to assume that Firefox is going to behave the same way as IE does.

PM doesn't "turn on" and "turn off"-- a new tab process is started if you cross integrity levels. In IE8, that tab process will replace the current tab, but in IE7 it opened a whole new window.

Does your problem go away if both sites are put in the trusted zone, or if Protected Mode is turned off for the Internet zone?

How is the first browser instance (to page A) launched?

EricLaw -MSFT-
Yes, I was aware of that caveat which is why it would be nice to get fiddler on our infrastructure :(The problem goes away if both sites are in the same zone. Either remove Server A from trusted sites or put Server B in trusted sites. We are aware of this as a potential solution - however it would require an organisation wide change to our desktop environment. I was hoping to get to the bottom of this another way preferably by getting a better understanding the exact issue and maybe changing the way we do things.First connection to Server A is by typing "https://...." in the location bar.
MisterW
What method is used to submit the form (GET or POST)? What type of redirect is in use? HTTP/302, or HTTP/307?
EricLaw -MSFT-
Form submitted with POST. Redirects are 302. Was able to try this at home on win 7 with IE 8: I did not experience the problem. The first few times I tried, Server B would open in a new tab with PM ON, after that it opened in the same tab with PM ON (after changing some options - I don't remember what triggered this - had not used IE8 on win7 before). There must be other settings involved that cause this problem within my work environment. Fiddler indicates that IE8 follows the same transaction path as firefox.
MisterW