back to article Hotmail imposes tracking cookies for logout

Hotmail users are now unable to log out of their account if the browser they are using does not accept third party cookies. The move by Microsoft raises security concerns, particularly as PCs on corporate networks and in cybercafes and libraries are often set to reject cookies. The error screen* that greets users who try to log …

COMMENTS

This topic is closed for new posts.
Gates Horns

Just close it

Sorry if I am being stupid (I do not have a Hotmail Account) but surely you can just shut the browser.

Unless of course they are also not timing you out so you can never log back in again :-)

0
0
Paris Hilton

Close windows?

Surely if you're blocking cookies, you can break the session just by closing the browser window?

It's a bit misleading saying it 'won't log you out', more that it won't keep any record of you logging out, or in for that matter.

0
0

passport.com

sets the cookie when you log out. presumably that's because when you log out of hotmail/live.com you also want to be logged out of msn.com etc.

microsoft live id/passport snafu it seems?

0
0
Anonymous Coward

Nice to see that MS is unifying its UI across all platforms

particularly the bit that says "Users like guessing games, so don't make it too obvious what actual effect clicking a button might have. See also: Abort, Retry, Fail?"

0
0
Big Brother

Useless...

Figured that's what they were doing, I had a look at my massive list of blocked cookies and tried a few MSN related ones to see if that fixed it, but it didn't so gave up.

Don't use hotmail that much now anyway, but as previous poster stated, close the browser and all is good.

0
0
FAIL

Hacked?

I saw this on my Hotmail account the other day. The typo made me think that my account had been hacked in some way. On one hand I'm glad it hasn't. On the other, it's the final nail in the coffin of Hotmail for me.

0
0
Pint

"Done"

Love the "Done" button. Done what? Done thinking about what has gone wrong, given up and gone home?

0
0

duh

close tab?

And lock safari cookie file to read only

0
0
Megaphone

@close the window etc

Great to see such well informed people here... i'll be sniffing out your abandoned sessions then!

Perhaps MS have people like the commenters on here doing their security for them...

0
0
Anonymous Coward

Re: Closing browsers

If you quit the browsers then how can the web server know that you have quit? Answer: it doesn't. So anyone can subsequently access your hotmail account from any PC without even having to log in. As far as hotmail is concerned you're still logged in and further authentication is not equired to access to read or send mail.

Think about it folks.

0
0
WTF?

Saw this yesterday

I saw this problem yesterday.

I would like to know how to control which sites are allowed to automatically get my login from passport. ( I was logged in with passport to a site to which I do not log and do not want to be logged in)

0
0
Jobs Horns

Hotmail chagged my browser!

That is all.

0
0
Silver badge
WTF?

MS seem to like typos

Whenever I plug my keyboard into the only MS box I have left it tells me it's installing a USB Keykoard.

Sloppy.

0
0
Paris Hilton

Got Sandbox?

Can't comment on IE or FF pr0n-Mode, but <a href="http://www.sandboxie.com/">SandboxIE</a> takes care of all those lingering cookie problems.

Even Paris knows the 'box rules!

0
0
FAIL

Missing the point.???

Aren't most of you missing the point here?

Oh why oh why should you need to accept a cookie to logout?

Another good reason to give MS a wide berth, still as a Gamer I still live on the desktop darkside, fortunately I cannot say the same for my Lappy!

0
0
Headmaster

Typo

"...you must enable third party cookies by chaging your browser settings"

Oh yes I see the typo now...

In "chaging" the "s" has been changed to a "c" and the second "g" has been omitted.

I blame phonetic spelling.

0
0
FAIL

advice from Microsoft

Maybe Microsoft should read its own downloadable white paper [1] which clearly states: "Working from a public browser may pose a serious security risk if users fail to logout. It is essential for an SSL VPN to provide time outs that terminate the remote access session due to inactivity, and/or force re-authentication after a pre-defined time period thus minimizing the window of opportunity for hijacking or taking over an abandoned session."

Then maybe they can explain why they have implemented a business practice which violates their own "best practices" for minimizing security risks.

[1] http://download.microsoft.com/download/F/0/2/F0229C11-B47E-4002-A444-60207C6E11F5/SSL%20VPN%20for%20SharePoint-WP-200702.doc

0
0
FAIL

Re: Re: Closing browsers

You still have to steal the session cookie for that. While the number of ways to do that has decreased lately, it is still possible.

0
0
FAIL

Microsoft? Tossers.

I just enabled third party cookies in order to completely and finally log-out of my (unimportant) hotmail account for the last time. Ever. I then returned my setting to block third party cookies and cleared my cookie cache.

What a stupid business model: offer something free then make it so unappealing to customers with even a small degree of technical understanding that they ditch it in droves. No wonder so many people hate them.

0
0
Paris Hilton

So wait...

People still use hotmail?

0
0

@Andy Moore 1 et al. & RotaCyclic

Closing the browser window does NOT log you out ... it just closes the browser window. As RotaCyclic noted (although some correction is required), the website's database doesn't know you have logged out until IT processes that data ... which Hotmail apparently will not do until you accept third-party cookies.

RotaCyclic, other people cannot get to your Hotmail session unless they are on the same computer you were using. The "logged in" cookie or session identifier only relates to that single system ... not every other computer on Earth.

This is not much of a problem for people who know their way around their web browser. All you need to do is accept the third party cookie, finish the logout, then delete the third party cookie. A cookie is only useful (a) if it exists and (b) if it is read after it has been installed. If a website sets a cookie, but there is nothing to read after that, then all that website knows is that they set the cookie using "x" data. The cookie and its data is useless unless it remains on the system.

0
0
Gates Horns

Previously on MSN....

In the old days, I couldn't fully sign out if I was using Safari - it would sign me out of Hotmail, but not MSN at large.

Anyway, I thought the whole point of cookie-authenticated logins was that the cookie is _deleted_ at logout, not replaced by one that says "logged out".

0
0
Flame

This is probably why

my Hotmail was hacked 2 days ago and emails containing links to malware were sent out to all of my contacts.

I know this because the numerous invalid email addresses in my contact list caused a flood of bounces into my inbox. The sent folder contains the original emails, so they were definitely sent from hotmail, not via an open SMTP gateway.

All my systems have up to date antivirus AND malware scanners which say there is no malware on my system. I've scanned them all with antivirus from a number of reputable vendors, but nothing has turned up.

0
0

@Just close it #

"Sorry if I am being stupid (I do not have a Hotmail Account) ..."

If you don’t have a Hotmail account, you can’t be all that stupid.

0
0
Silver badge
Thumb Down

Hotmail

Yes, some of us still use Hotmail. And a zillion users still have Hotmail accounts, if only because of MSN Messenger. I shifted most of my email stuff to Gmail, as MS took too much time realizing that 2Mb was a laughable size for an inbox. Even when they started giving out 250Mb inboxes, it still reeked of stupidity; they restricted it to US accounts while any John Doe could open up a Yahoo or Gmail account.

By the time Hotmail started offering 2Gb inboxes, Hotmail was forgotten. If it weren't for MSN Messenger, it would already have gone dead, just like Geocities.

Anyway, cookies to log out? Stooooopid.

0
0
Thumb Down

I see that nobody ...

... has tried clicking that Done button, have you?

This is a stupid bug, not maliciousness.

0
0
Silver badge

Private browsing[1] in Firefox still works.

If you absolutely have to use Hotmail or anything else connected to MS's online offerings for something (why? Seriously, I'm curious ...), see Subj: line ... Login to Hotmail in a "private" session, do your business, log out, then go back to whatever you were doing with no trace left on your computer. Open another instance of Firefox for private browsing if you need to copy & paste between Hotmail and another web page.

[1] Look under "tools" on the menubar, if you're unaware of the option ... Follow your nose, it's pretty much self-documenting.

0
0
Silver badge

well, there you are then

I created a hatemail login to reserve my name in -- ooh, 1999? -- and decided it was horrid. Then it became spam central, theft central, and they started changing it every 15 minutes.

I have been paying for webmail from mail.com since 1997, and it just works. No spam, no security problems, reasonably straightforward technical support.

Don't freeload off Redmond, lads and lasses. They don;t know what they are doing.

0
0
Grenade

Tracking Cookies

Wouldn't it be nice if we could reply to the global superpower personally by saying f*** off.

0
0

Double-minded corporations

Large corporations always have conflicts of interests.

Microsofts here is the conflict between being an OS provider and trying to provide security and opportunities to disable 3rd party cookies, etc;

and being a service provider and media company (with bing too) where they want to take advantages or rot like 3rd party cookies.

I'm sure that hotmail doesn't suddenly need 3rd party cookies to know you've logged out, but I'm sure part of Microsoft suddenly has a need for Windows users to start accepting 3rd party cookies, and the hotmail department is being used to "make it so".

Sam

0
0
Megaphone

Why we write cookies to multiple domains

Hi Chris,

I’m the product manager for Windows Live ID. Thanks for calling this out, and I wanted to take this opportunity to outline the reason you are getting this experience. The comments above cover most of this, but here is the official word on why we write our cookies to multiple domains to:

- Give users a good experience with single sign-on, so they can be authenticated to multiple sites (e.g. MSN, Xbox Live, Windows Live, Bing) at once without having to retype their password

- To help protect user security, by separating the authentication cookies that are used for different services. If a cookie in one domain is compromised, it means that user assets in another domain won’t be compromised

During sign-in, we redirect to the right domain so that the cookies can be written in first-party context. It’s only during sign-out, where we need to clear cookies from potentially many domains that we have login.live.com clearing cookies in other domains via the invisible GIF solution (more info http://msdn.microsoft.com/en-us/library/bb676640.aspx). We are actually removing cookies in this scenario, but it’s interpreted by browsers as using third party cookies.

thx

Angus Logan

http://blogs.msdn.com/angus_logan

1
0
This topic is closed for new posts.

Forums