2

I have little experience with Windows 8 and our organization does not yet support it but some end users have it.

Users running Windows 8.1 and IE 11 have presumably created a live tile referencing our secure application. We are seeing user requests to /browserconfig.xml with no authentication cookies while the user is currently authenticated in IE. Windows appears to not send existing authentication session cookies in the request but is processing response cookies. This is causing the user to become unauthenticated. One user claims to have removed the tile from their desktop but we are still seeing requests to browserconfig.xml from that user. When that user ran IE developer tools and logged network traffic, we see the transition from authenticated to unauthenticated once our authentication cookie value changed. IE did not log the request that changed the cookie. IE did not log the request to browserconfig.xml at all, presumably because it was in a different thread. Our server did log this additional request. The request to browserconfig.xml consistently occurs between the change from authenticated to unauthenticated.

Questions:

  1. Is the request to browserconfig.xml expected to include cookies (both session and not) in the request? If not, why does Windows appear to process response cookies?

  2. The user claimed to have removed the tile. If this is true, is there a difference between hiding and deleting tiles? We are still seeing requests to browserconfig after the user claimed to have removed it. Unfortunately, I cannot confirm the user claim.

James
  • 133
  • 9
  • I don't know it this helps but: This line in the `head` should avoid IE to ask for this file: `` – Vitor Canova Aug 13 '15 at 14:31
  • Thanks. I agree, but I do not know what triggers the request (defaults since we do not support it) or what user action started it in the first place (live tile/pinned site? To what endpoint?). Thus, I may need to add this to every endpoint in our application to compensate for what I think is a defect in IE. We have an open ticket to Windows "premier tech support" but have not yet resolved the problem. It appears to be related to IE spawning a new process ID when clicking a link in an email or java applet. If no new process ID, the problem does not happen. – James Aug 17 '15 at 15:38

1 Answers1

2

You cannot vote on your own post 0

I saw this exact behaviour debugging our web application. I also saw it once in a request for /favicon.ico not sending the authentication cookie (while in the middle of using the site).

In my case, the requests that didn't send an authentication cookie have user-agent header corresponding to "IE11 on 64-bit Windows 8.1 Update", and all other requests have user-agent header corresponding to "IE11 for the desktop on 64-bit Windows 8.1 Update".

My fix was in global.asax.cs Session_Start(), if requesting /browserconfig.xml or /favicon.ico, then don't set any cookies in the response.

redback
  • 21
  • 2