Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. How to Prevent Persistent Login in Outlook Mail when User does not Log Out Properly

How to Prevent Persistent Login in Outlook Mail when User does not Log Out Properly

Symptoms

When a user doesn't 1) log out from outlook mail or 2) close the browser window then the next user in the same machine who re-uses the same browser session is able to access the first user’s mail. This will occur even if the first user closes out the browser tab.

↑ Back to the top

Cause

Windows LIVE ID session needs to be logged out properly or the browser window with the user’s credentials needs to be closed. Failure to execute at least one of these actions will cause another user to reuse the browser window and gain access to the first user’s email.

↑ Back to the top

Resolution

The proper way to sign out from Outlook Live is to perform a logout on the service. To be thorough the user should close the browser window altogether to remove any remaining cookies with the user’s credentials.

A partner creating a custom mail client can also force a windows live logout of the previous user(user1) before another user (user2) logs in into the same browser session. This can be accomplished as follows:
  1. https://<Site Domain Name>/Log_Out.aspx is called to perform logout actions on the backend
  2. https://<Site Domain Name>/Log_Out.aspx can be enhanced to perform a WLID logout by using:
    https://login.live.com/logout.srf?id=&lru=
  3. WLID processes the logout for user1 and then sends the browser back to https://<Site Domain Name>
Note:
  • The lru value must contain a redirection page that is inside the specified “DNS name” for the site
  • DNS Name” value is specified in Microsoft Service Manager (MSM)
  • If the above logout code is implemented in a hidden HTML iframe element, caution should be taken to ensure logout failure is handled appropriately
  • The logout process may fail in the following scenarios:
    • If the logout code is not implemented correctly
    • Third party cookies are disabled on the browser

↑ Back to the top

More Information

Since user1 doesn't log out properly and doesn’t close the browser window, the session cookies still persist in the browser window allowing user2 to logon to user1’s mail in the same browser session.

Repro Steps:
  1. Run Internet browser
  2. Open two browser tabs
  3. Go to the first browser tab
  4. Go to http://outlook.live.com and log in to your mail
  5. Close the browser tab (without performing a logout)
  6. Using the same browser session, select the second tab
  7. Go to http://outlook.live.com
  8. User1's mail is now accessible

↑ Back to the top

Keywords: kbsurveynew, kbhowto, kbexpertisebeginner, kb

↑ Back to the top

Article Info
Article ID : 2454326
Revision : 1
Created on : 1/7/2017
Published on : 10/27/2010
Exists online : False
Views : 137