I have little experience with Windows 8 and our organization does not yet support it but some end users have it.

Users running Windows 8.1 and IE 11 have presumably created a live tile referencing our secure application.  We are seeing user requests to <server>/browserconfig.xml with no authentication cookies while the user is currently authenticated in IE.  Windows appears to not send existing authentication session cookies in the request but is processing response cookies.  This is causing the user to become unauthenticated.  One user claims to have removed the tile from their desktop but we are still seeing requests to browserconfig.xml from that user.  When that user ran IE developer tools and logged network traffic, we see the transition from authenticated to unauthenticated once our authentication cookie value changed.  IE did not log the request that changed the cookie.  IE did not log the request to browserconfig.xml at all, presumably because it was in a different thread.  Our server did log this additional request.  The request to browserconfig.xml consistently occurs between the change from authenticated to unauthenticated.

Questions:

1.  Is the request to browserconfig.xml expected to include cookies (both session and not) in the request?  If not, why does Windows appear to process response cookies?

2.  The user claimed to have removed the tile.  If this is true, is there a difference between hiding and deleting tiles?  We are still seeing requests to browserconfig after the user claimed to have removed it.  Unfortunately, I cannot confirm the user claim.

• Edited by James.O Thursday, July 02, 2015 7:20 PM