Re: Possible IE 6 Bug - Differences Between Windows Explorer And IE

From: Jim Cheshire [MSFT] (jamesche_at_online.microsoft.com)
Date: 04/19/04

  • Next message: Larry: "trying to post to aspx anonyomously is blocked?"
    Date: Mon, 19 Apr 2004 15:12:33 GMT
    
    

    Hi Kev,

    I'm not sure why you would see different behavior between IE 5 and 6. You
    might want to post this question in the IE Client newsgroup for input
    there.

    Jim Cheshire, MCSE, MCSD [MSFT]
    ASP.NET
    Developer Support
    jamesche@online.microsoft.com

    This post is provided "AS-IS" with no warranties and confers no rights.

    --------------------
    >From: mrkwatkins@hotmail.com (Kevin Watkins)
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >Subject: Re: Possible IE 6 Bug - Differences Between Windows Explorer And
    IE
    >Date: 19 Apr 2004 02:00:14 -0700
    >Organization: http://groups.google.com
    >Lines: 41
    >Message-ID: <2ec204be.0404190100.65d29f1d@posting.google.com>
    >References: <2ec204be.0404160943.7858f2ca@posting.google.com>
    <aFIb0t#IEHA.2112@cpmsftngxa10.phx.gbl>
    >NNTP-Posting-Host: 81.133.246.107
    >Content-Type: text/plain; charset=ISO-8859-1
    >Content-Transfer-Encoding: 8bit
    >X-Trace: posting.google.com 1082365215 17082 127.0.0.1 (19 Apr 2004
    09:00:15 GMT)
    >X-Complaints-To: groups-abuse@google.com
    >NNTP-Posting-Date: Mon, 19 Apr 2004 09:00:15 +0000 (UTC)
    >Path:
    cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.s
    ul.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!p
    ostnews1.google.com!not-for-mail
    >Xref: cpmsftngxa10.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:9669
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >> Hi Kevin,
    >>
    >> This is not a bug in any version of the browser. This is by-design.
    One
    >> process cannot access the memory for another process. As you have seen,
    >> when you browse a URL via a Windows Explorer window, it will browse that
    >> URL via the explorer.exe process. If you then open a new window, it
    will
    >> launch a new iexplore.exe process, and that iexplore.exe process cannot
    >> access the memory space for the explorer.exe process.
    >>
    >> There is a way that you can force the process to not cache credentials
    in
    >> this scenario. Open an Explorer window and click on Tools, Folder
    Options.
    >> Click the View tab and select the option to "Launch folder windows in a
    >> separate process." After you check that, restart the computer. Now
    >> credentials will no longer be cached after the Windows Explorer window
    is
    >> closed and a new one opened.
    >
    >Hi,
    >
    >Thanks for your reply. I have just tested this again under IE5.5 and I
    >get different behaviour. The 'Launch folder windows in a separate
    >process' isn't ticked, yet the credentials do not get cached when I
    >shut the Windows Explorer window with my site in.
    >
    >I can understand this being by design, but may I ask what the
    >rationale is? The design appears to have changed from 5.5 to 6
    >according to my simple tests, and surely not launching an iexplore.exe
    >process from Windows Explorer makes everything less secure? (In that
    >another user could gain access to the PC and gain login credentials,
    >whereas they couldn't if an iexplore.exe was launched) Especially
    >seeing as this box is not ticked by default.
    >
    >I'm still thinking there must be a solution to this though. I cannot
    >get all my users to tick that box, because most of them won't and
    >people may login using public computers anyway. Many other sites I use
    >on the internet don't suffer from this problem, so I'm assuming there
    >must be something I can do to my site to plug this security hole? Is
    >there anything you can think of that might help?
    >
    >Thanks,
    >
    >Kev
    >


  • Next message: Larry: "trying to post to aspx anonyomously is blocked?"