You Must Close the Browser to Log Off OWA

Summary

When you use Outlook Web Access (OWA) in Microsoft Exchange 2000 Server, the client computer is not logged off until the browser is closed. All the browser windows that are related to that browser process must be closed for the credentials to be removed.

More Information

When you use a Web browser to connect to OWA, your browser displays a dialog box that prompts you for your user name, your password, and in some cases, your domain. When you type your credentials, the browser creates and sends a hash to the server that completes the authentication. The browser caches the hash in the HTTP session, which is saved in the open browser process. For any connections after that, the browser sends the cached hash to the server.

Even if the TCP/IP connection between the browser computer and the server is broken, the HTTP session can remain open. If the TCP/IP session is reestablished, and the browser process still has the HTTP session open, the browser client resends the hash it cached to the server. When this occurs, you are not prompted for credentials. This behavior is expected. If the client did not resend the hash to the server, you would have to type your credentials many times.

The only way to clear the cached hash is to quit the browser process (for example, Iexplore.exe or Netscape.exe) by closing all its windows. If you do not do so, the hash remains cached, and anyone who uses the browser can open the mailbox to which you are already authenticated. They do not have to enter a user name and password.

In Exchange 2000 Service Pack 2 (SP2), a Logoff button appears on the navigator bar on the left side of the OWA window. If you click this button, the browser is redirected to a Web page (Logoff.asp). The page explains that to secure your mailbox, all browser windows must be closed. It also has a Close button that you can use to close the current window. This page does not clear the cached credentials in the browser. It is an Active Server Pages (ASP) page (which can be modified to perform other actions).


For additional information browser and Internet Information Services (IIS) authentication, click the article number below to view the article in the Microsoft Knowledge Base:
264921 INFO: How IIS Authenticates Browser Clients
For information about third-party products that can change this behavior, visit the following Microsoft Web site: For additional information about the OWA timeout and why it does not affect credentials caching, click the following article number to view the article in the Microsoft Knowledge Base:

294752 XCCC: Session Time-Out Settings for Outlook Web Access on Exchange 2000 Server

Properties

Article ID: 330573 - Last Review: Jul 15, 2008 - Revision: 1

Feedback