Re: OWA does not logout for IE 6.0 - Security Issue

Hi,

Configure the /exchange directory to use basic authentication and it will
always ask for authentication.

Leif

<google@xxxxxxxxxxx> wrote in message
news:1157306718.770955.271920@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I have read the posts about the problems with OWA and the login prompt
that appears when you try to log-out. That is not my problem here.

I have just installed Server 2003 w/ Exchange and I am using IE 6.0 on
a Windows XP box.

Everything has the latest service packs and upgrades.

I want to test the new Exchange accounts that I setup, so I go to:

http://mydomain.com/Exchange

Because I had previously logged in under my own login account, I am
automatically logged in under that login name and password. This is
very convenient.

But now I need to login as a different user, so I click the Logout
link, and I get a page that says to exit all of the browsers and click
close. Which is what I do.

When I again, open the browser and enter the OWA URL, it takes me back
into my Exchange account, already logged in. I cannot get logged out,
so I cannot log back in as a different user.

My workaround, for my testing purposes, was to install Firefox and it
logs me out OK.

My big concern is that my users will try to use OWA from a public
terminal or worse yet, from a borrowed machine at a customer site, and
will leave behind a pre-logged in Exchange account. Even though they
click the logout link.

I have searched the postings, and I do not see anything. I suppose
that the fix for the "login prompt on logout" may have introduced this
problem, and somehow MS QA missed that the logout did not actually log
the user out.

I am new to the MS server world, so maybe my mistake is obvious to
some. But it appears that a significant security issue is present that
is not obvious (users who normally logout at a public terminal, do not
try to log back in, so would not see it).

Please, if you have a similar setup, test this and see if you are
affected too. Then perhaps we file a bug report and get MS to fix
ASAP.

Thanks!



.

Relevant Pages

  • OWA does not logout for IE 6.0 - Security Issue
    ... I have read the posts about the problems with OWA and the login prompt ... But now I need to login as a different user, so I click the Logout ... will leave behind a pre-logged in Exchange account. ...
    (microsoft.public.exchange.setup)
  • Re: OWA does not logout for IE 6.0 - Security Issue
    ... I removed the Integrated Windows Authentication, ... I have read the posts about the problems with OWA and the login prompt ... But now I need to login as a different user, so I click the Logout ... will leave behind a pre-logged in Exchange account. ...
    (microsoft.public.exchange.setup)
  • Set as Default email account resets to Exchange
    ... Why does and XP workstation reset to the Exchange account when you logout and ... This is on a 2003 sb server. ...
    (microsoft.public.exchange.admin)
  • Referencing variable in calling class?
    ... I assume because the cookie destruction is being sent down in that page ... when that page renders it still appears as if the user is logged ... So, I thought perhaps as part of my logout routine, I could set a variable ... whether or not it displays the 'login' url or the 'logout' url. ...
    (php.general)
  • Re: =?iso-8859-15?Q?Doch_noch_mal_ne_grunds=E4tzliche_Frage_?= =?iso-8859-15?Q?dazu?
    ... Es funktioniert in beiden Fällen - beim ersten login. ... logout abmelde, und danach wieder eine neue Verbindung herstellen will, ... Port 10000, login, und sofortigem Logout ist erst mal Feierabend. ... drueckt, dann beim Login-Prompt aber keinen Usernamen eingibt, ...
    (de.comp.os.vms)