How to Prevent Persistent Login in Outlook Mail when User does not Log Out Properly

Article translations Article translations
Article ID: 2454326 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When a user doesn't 1) log out from outlook mail or 2) close the browser window then the next user in the same machine who re-uses the same browser session is able to access the first user’s mail. This will occur even if the first user closes out the browser tab.

CAUSE

Windows LIVE ID session needs to be logged out properly or the browser window with the user’s credentials needs to be closed. Failure to execute at least one of these actions will cause another user to reuse the browser window and gain access to the first user’s email.

RESOLUTION

The proper way to sign out from Outlook Live is to perform a logout on the service. To be thorough the user should close the browser window altogether to remove any remaining cookies with the user’s credentials.

WORKAROUND

A partner creating a custom mail client can also force a windows live logout of the previous user(user1) before another user (user2) logs in into the same browser session. This can be accomplished as follows:
  1. https://<Site Domain Name>/Log_Out.aspx is called to perform logout actions on the backend
  2. https://<Site Domain Name>/Log_Out.aspx can be enhanced to perform a WLID logout by using:
    https://login.live.com/logout.srf?id=<site id>&lru=<URL-encoded Site Domain Name>
  3. WLID processes the logout for user1 and then sends the browser back to https://<Site Domain Name>
Note:
  • The lru value must contain a redirection page that is inside the specified “DNS name” for the site
  • DNS Name” value is specified in Microsoft Service Manager (MSM)
  • If the above logout code is implemented in a hidden HTML iframe element, caution should be taken to ensure logout failure is handled appropriately
  • The logout process may fail in the following scenarios:
    • If the logout code is not implemented correctly
    • Third party cookies are disabled on the browser

MORE INFORMATION

Since user1 doesn't log out properly and doesn’t close the browser window, the session cookies still persist in the browser window allowing user2 to logon to user1’s mail in the same browser session.

Repro Steps:
  1. Run Internet browser
  2. Open two browser tabs
  3. Go to the first browser tab
  4. Go to http://outlook.live.com and log in to your mail
  5. Close the browser tab (without performing a logout)
  6. Using the same browser session, select the second tab
  7. Go to http://outlook.live.com
  8. User1's mail is now accessible

Properties

Article ID: 2454326 - Last Review: October 27, 2010 - Revision: 1.0
APPLIES TO
  • Live.com
  • Microsoft Office Outlook Live
  • Windows Live@edu
Keywords: 
kbsurveynew kbhowto kbexpertisebeginner KB2454326

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com