We have a J2EE application (supported on IE only) that uses JSESSIONID to manage session state between client and server. Some of our customers use a third-party web application (in our case,https://mdoffice.sentara.com/) in which the client Javascript onload method calls:
document.execCommand("ClearAuthenticationCache");
This smashes our JSESSIONID cookie in the browser and hence causes the the app server to see subsequent requests from our IE client window as an invalid or timed out session and the user gets kicked out. This isn't spelled out explicitly in the
doc for this command, but it is fairly well published that this is the expected behavior. (e.g.,
http://blogs.msdn.com/b/ieinternals/archive/2010/04/05/understanding-browser-session-lifetime.aspx). For example, it also breaks a session with my online banking if I hit that sentara link above.
Most discussion around this command is how to duplicate it's behavior in other browsers or versions of IE. We'd like to protect against it.
We verified that our session cookies are have domain scoping, but the above command doesn't seem to honor that. We have a lame work-around by which we launch IE with a -noframemerging argument. That's ugly, and also ends up messing with our logic that tries
to limit the client to a single login.
So here are my questions:
- Is there a way to protect our precious session cookies from ClearAuthenticationCache?
- Is there a less aggressive alternative to ClearAuthenticationCache that we might tell our customers to communicate to the 3rd party? (Of course, they'd have to do this with any 3rd party that causes this problem. Currently there's just the one.) I think the answer to this is no. See: http://social.msdn.microsoft.com/Forums/en-US/3df1d008-c4ab-4188-b9f7-4adec0bd6142/ie-910-programmatically-clear-ssl-state?forum=iewebdevelopment, which says, "...ClearAuthenticationCache is the only script-accessible mechanism to clear the browser's session state..."
- And just for my curiosity, why is such an heavy-handed API call even supported? E.g., why doesn't it allow restricting by domain, regex, or other criteria?
Thanks for any help!
- k