Cookie Issue. Redirecting from trusted site to non trusted - IE 8 protected mode stays off

Question

Does IE8 have a problem determining what protected mode state the resulant site should be in when following redirects?

We are seeing this situation when using IE8 on windows 7 in an enterprise environment.

Note:

Server A is a secure site and is listed in the users trusted sites list.

Server B is also a secure site but is not listed in the users trusted site list.

At the end of each step I have indicated whether IE is in protected mode(PM).

1. The user loads a form on Server A and submits it. PM is Off
2. Server A processes the submission and returns a redirect to Server B. PM is Off
3. Server B then redirects to an alternate url on its own domain and sets a cookie delivering a page to the user. PM is Off
4. User clicks a link to continue transaction and Server B attempts to read the cookie. PM turns ON
5. IE8 does not send the cookie to Server B because it was set in a different protected mode.

From what I can understand, transactions commencing with Server B should immediately put the browser into Protected Mode. However, it appears that IE8 is not correctly identifying the initial mode for Server B - perhaps because of the redirects?

Looking at the cookies in IE8's developer tools I noticed they are registered against .COM.AU rather than the more specific complete domain for Server B.

I don't have permission to install Fiddler on the machine so I have used firefox to determine what transactions took place.

Matt

Answer 1

Caveat: It's not always safe to assume that Firefox is going to behave the same way as IE does.

PM doesn't "turn on" and "turn off"-- a new tab process is started if you cross integrity levels. In IE8, that tab process will replace the current tab, but in IE7 it opened a whole new window.

Does your problem go away if both sites are put in the trusted zone, or if Protected Mode is turned off for the Internet zone?

How is the first browser instance (to page A) launched?