You are currently offline, waiting for your internet to reconnect

Your browser is out-of-date

You need to update your browser to use the site.

Update to the latest version of Internet Explorer

How to Prevent Persistent Login in Outlook Mail when User does not Log Out Properly

SYMPTOMS
When a user doesn't 1) log out from outlook mail or 2) close the browser window then the next user in the same machine who re-uses the same browser session is able to access the first user’s mail. This will occur even if the first user closes out the browser tab.
CAUSE
Windows LIVE ID session needs to be logged out properly or the browser window with the user’s credentials needs to be closed. Failure to execute at least one of these actions will cause another user to reuse the browser window and gain access to the first user’s email.
RESOLUTION
The proper way to sign out from Outlook Live is to perform a logout on the service. To be thorough the user should close the browser window altogether to remove any remaining cookies with the user’s credentials.

WORKAROUND
A partner creating a custom mail client can also force a windows live logout of the previous user(user1) before another user (user2) logs in into the same browser session. This can be accomplished as follows:
  1. https://<Site Domain Name>/Log_Out.aspx is called to perform logout actions on the backend
  2. https://<Site Domain Name>/Log_Out.aspx can be enhanced to perform a WLID logout by using:
    https://login.live.com/logout.srf?id=&lru=
  3. WLID processes the logout for user1 and then sends the browser back to https://<Site Domain Name>
Note:
  • The lru value must contain a redirection page that is inside the specified “DNS name” for the site
  • DNS Name” value is specified in Microsoft Service Manager (MSM)
  • If the above logout code is implemented in a hidden HTML iframe element, caution should be taken to ensure logout failure is handled appropriately
  • The logout process may fail in the following scenarios:
    • If the logout code is not implemented correctly
    • Third party cookies are disabled on the browser

MORE INFORMATION
Since user1 doesn't log out properly and doesn’t close the browser window, the session cookies still persist in the browser window allowing user2 to logon to user1’s mail in the same browser session.

Repro Steps:
  1. Run Internet browser
  2. Open two browser tabs
  3. Go to the first browser tab
  4. Go to http://outlook.live.com and log in to your mail
  5. Close the browser tab (without performing a logout)
  6. Using the same browser session, select the second tab
  7. Go to http://outlook.live.com
  8. User1's mail is now accessible
Properties

Article ID: 2454326 - Last Review: 10/27/2010 21:09:00 - Revision: 1.0

  • Live.com
  • Microsoft Office Outlook Live
  • Windows Live@edu
  • kbsurveynew kbhowto kbexpertisebeginner KB2454326
Feedback