Cookie problem with ShowModalDialog and window.open

19 May 2005 8:01 PM

Jay Sullivan

Hi,

I have discovered an odd problem when using window.open from an IE window
which was opened with ShowModalDialog. You would expect the new window to
inherit the cookies from the same IE session which created the modal window,
but in some cases that doesn't happen. It may get the coookies from another
IE session that you have open elsewhere. I'm thinking this could be a
security risk.

The best way to see this problem is to load my test page below in two
different IE windows. Do not open the second IE window by using File/New
Window from the first window. If you do that, the windows will already
share cookies. Instead, open two IE windows by clicking on the IE icon in
the Quick Launch bar two times. When you load my test page in both windows,
each window should have a unique ASPSessionID.

I'll refer to the two IE windows as ParentA and ParentB. Perform the
following steps to demonstrate the problem:

ParentA (note the value of the LoadTime cookie)
- Click WindowOpen button: LoadTime matches ParentA
- Click ShowModal button: LoadTime matches ParentA
- Click WindowOpen button inside modal window: LoadTime matches ParentA

ParentB (note the value of the LoadTime cookie)
- Click WindowOpen button: LoadTime matches ParentB
- Click ShowModal button: LoadTime matches ParentB
- Click WindowOpen button inside modal window: LoadTime DOES NOT MATCH - it
is the LoadTime from ParentA

So, if you use ShowModalDialog to open a window, and then use window.open
from that modal window to load another window, the last child window may not
get the cookies from its parent windows.

I wonder if this could be a security issue. If someone could get a user to
click buttons to load a modal window and then a window.open window, the page
could read cookies from an entirely different IE window.

I am using Windows XP SP2 with all critical security patches applied. In
case it matters, I have my "Reuse windows for launching shortcuts" option in
IE turned off. Also, in Windows Explorer, I have the "Launch folder windows
in a separate process" turned on.

Here is the source code for my test page (CoookieTest.asp):

<%@ Language=VBScript %>
<% Response.Expires = -1 %>
<HTML>
<HEAD>
<script language=vbscript>
Sub cmdShowModal_onClick
    window.showModalDialog("CookieTest.asp?LoadType=1")
End Sub

Sub cmdWindowOpen_onClick
    window.open "CookieTest.asp?LoadType=2", "_blank"
End Sub
</script>
</HEAD>
<BODY>
<%
If Request("LoadType") <> "2" Then
    %>
    <input type=button name=cmdWindowOpen value="WindowOpen"><br>
    <%
End If

If Request("LoadType") = "" Then
    Response.Cookies("LoadTime") = Timer() * 100
    %>
    <input type=button name=cmdShowModal value="ShowModal"><br>
    <%
End If

%>

<script language=vbscript>
    document.write "<p>cookies = " & window.document.cookie
</script>
</BODY>
</HTML>

30 May 2005 10:15 AM

mansh

Hi,

i have same problem that occures on different client.
i have two aspx page, on the first one i set some cookie on the server. on client side (of the first page) there is javascript code that open the second aspx page.
normally the cookies must be accessable on the second aspx page but on some client it isn't the case. -- mansh ------------------------------------------------------------------------ Posted via http://www.webservertalk.com ------------------------------------------------------------------------ View this thread: http://www.webservertalk.com/message1067281.html