back to article Hotmail imposes tracking cookies for logout

Hotmail users are now unable to log out of their account if the browser they are using does not accept third party cookies. The move by Microsoft raises security concerns, particularly as PCs on corporate networks and in cybercafes and libraries are often set to reject cookies. The error screen* that greets users who try to …

COMMENTS

This topic is closed for new posts.
  1. Andy Moore 1
    Gates Horns

    Just close it

    Sorry if I am being stupid (I do not have a Hotmail Account) but surely you can just shut the browser.

    Unless of course they are also not timing you out so you can never log back in again :-)

  2. Ian Ferguson
    Paris Hilton

    Close windows?

    Surely if you're blocking cookies, you can break the session just by closing the browser window?

    It's a bit misleading saying it 'won't log you out', more that it won't keep any record of you logging out, or in for that matter.

  3. Florence

    passport.com

    sets the cookie when you log out. presumably that's because when you log out of hotmail/live.com you also want to be logged out of msn.com etc.

    microsoft live id/passport snafu it seems?

  4. Anonymous Coward
    Anonymous Coward

    Nice to see that MS is unifying its UI across all platforms

    particularly the bit that says "Users like guessing games, so don't make it too obvious what actual effect clicking a button might have. See also: Abort, Retry, Fail?"

  5. Anonymous Coward
    Big Brother

    Useless...

    Figured that's what they were doing, I had a look at my massive list of blocked cookies and tried a few MSN related ones to see if that fixed it, but it didn't so gave up.

    Don't use hotmail that much now anyway, but as previous poster stated, close the browser and all is good.

  6. spr97ajm
    FAIL

    Hacked?

    I saw this on my Hotmail account the other day. The typo made me think that my account had been hacked in some way. On one hand I'm glad it hasn't. On the other, it's the final nail in the coffin of Hotmail for me.

  7. Anonymous Coward
    Pint

    "Done"

    Love the "Done" button. Done what? Done thinking about what has gone wrong, given up and gone home?

  8. Anonymous Coward
    Anonymous Coward

    duh

    close tab?

    And lock safari cookie file to read only

  9. Anonymous Coward
    Megaphone

    @close the window etc

    Great to see such well informed people here... i'll be sniffing out your abandoned sessions then!

    Perhaps MS have people like the commenters on here doing their security for them...

  10. Anonymous Coward
    Anonymous Coward

    Re: Closing browsers

    If you quit the browsers then how can the web server know that you have quit? Answer: it doesn't. So anyone can subsequently access your hotmail account from any PC without even having to log in. As far as hotmail is concerned you're still logged in and further authentication is not equired to access to read or send mail.

    Think about it folks.

  11. Anonymous Coward
    WTF?

    Saw this yesterday

    I saw this problem yesterday.

    I would like to know how to control which sites are allowed to automatically get my login from passport. ( I was logged in with passport to a site to which I do not log and do not want to be logged in)

  12. Neil Woolford
    Jobs Horns

    Hotmail chagged my browser!

    That is all.

  13. Graham Dawson Silver badge
    WTF?

    MS seem to like typos

    Whenever I plug my keyboard into the only MS box I have left it tells me it's installing a USB Keykoard.

    Sloppy.

  14. tuna 1
    Paris Hilton

    Got Sandbox?

    Can't comment on IE or FF pr0n-Mode, but <a href="http://www.sandboxie.com/">SandboxIE</a> takes care of all those lingering cookie problems.

    Even Paris knows the 'box rules!

  15. Stuart 17
    FAIL

    Missing the point.???

    Aren't most of you missing the point here?

    Oh why oh why should you need to accept a cookie to logout?

    Another good reason to give MS a wide berth, still as a Gamer I still live on the desktop darkside, fortunately I cannot say the same for my Lappy!

  16. Mark Monaghan
    Headmaster

    Typo

    "...you must enable third party cookies by chaging your browser settings"

    Oh yes I see the typo now...

    In "chaging" the "s" has been changed to a "c" and the second "g" has been omitted.

    I blame phonetic spelling.

  17. Reallydo Wannaknow
    FAIL

    advice from Microsoft

    Maybe Microsoft should read its own downloadable white paper [1] which clearly states: "Working from a public browser may pose a serious security risk if users fail to logout. It is essential for an SSL VPN to provide time outs that terminate the remote access session due to inactivity, and/or force re-authentication after a pre-defined time period thus minimizing the window of opportunity for hijacking or taking over an abandoned session."

    Then maybe they can explain why they have implemented a business practice which violates their own "best practices" for minimizing security risks.

    [1] http://download.microsoft.com/download/F/0/2/F0229C11-B47E-4002-A444-60207C6E11F5/SSL%20VPN%20for%20SharePoint-WP-200702.doc

  18. Anton Ivanov
    FAIL

    Re: Re: Closing browsers

    You still have to steal the session cookie for that. While the number of ways to do that has decreased lately, it is still possible.

  19. Anonymous Coward
    FAIL

    Microsoft? Tossers.

    I just enabled third party cookies in order to completely and finally log-out of my (unimportant) hotmail account for the last time. Ever. I then returned my setting to block third party cookies and cleared my cookie cache.

    What a stupid business model: offer something free then make it so unappealing to customers with even a small degree of technical understanding that they ditch it in droves. No wonder so many people hate them.

  20. Blain Hamon
    Paris Hilton

    So wait...

    People still use hotmail?

  21. James Butler

    @Andy Moore 1 et al. & RotaCyclic

    Closing the browser window does NOT log you out ... it just closes the browser window. As RotaCyclic noted (although some correction is required), the website's database doesn't know you have logged out until IT processes that data ... which Hotmail apparently will not do until you accept third-party cookies.

    RotaCyclic, other people cannot get to your Hotmail session unless they are on the same computer you were using. The "logged in" cookie or session identifier only relates to that single system ... not every other computer on Earth.

    This is not much of a problem for people who know their way around their web browser. All you need to do is accept the third party cookie, finish the logout, then delete the third party cookie. A cookie is only useful (a) if it exists and (b) if it is read after it has been installed. If a website sets a cookie, but there is nothing to read after that, then all that website knows is that they set the cookie using "x" data. The cookie and its data is useless unless it remains on the system.

  22. Anonymous Coward
    Gates Horns

    Previously on MSN....

    In the old days, I couldn't fully sign out if I was using Safari - it would sign me out of Hotmail, but not MSN at large.

    Anyway, I thought the whole point of cookie-authenticated logins was that the cookie is _deleted_ at logout, not replaced by one that says "logged out".

  23. Anonymous Coward
    Flame

    This is probably why

    my Hotmail was hacked 2 days ago and emails containing links to malware were sent out to all of my contacts.

    I know this because the numerous invalid email addresses in my contact list caused a flood of bounces into my inbox. The sent folder contains the original emails, so they were definitely sent from hotmail, not via an open SMTP gateway.

    All my systems have up to date antivirus AND malware scanners which say there is no malware on my system. I've scanned them all with antivirus from a number of reputable vendors, but nothing has turned up.

  24. Mark Simon

    @Just close it #

    "Sorry if I am being stupid (I do not have a Hotmail Account) ..."

    If you don’t have a Hotmail account, you can’t be all that stupid.

  25. Daniel B.
    Thumb Down

    Hotmail

    Yes, some of us still use Hotmail. And a zillion users still have Hotmail accounts, if only because of MSN Messenger. I shifted most of my email stuff to Gmail, as MS took too much time realizing that 2Mb was a laughable size for an inbox. Even when they started giving out 250Mb inboxes, it still reeked of stupidity; they restricted it to US accounts while any John Doe could open up a Yahoo or Gmail account.

    By the time Hotmail started offering 2Gb inboxes, Hotmail was forgotten. If it weren't for MSN Messenger, it would already have gone dead, just like Geocities.

    Anyway, cookies to log out? Stooooopid.

  26. John L
    Thumb Down

    I see that nobody ...

    ... has tried clicking that Done button, have you?

    This is a stupid bug, not maliciousness.

  27. jake Silver badge

    Private browsing[1] in Firefox still works.

    If you absolutely have to use Hotmail or anything else connected to MS's online offerings for something (why? Seriously, I'm curious ...), see Subj: line ... Login to Hotmail in a "private" session, do your business, log out, then go back to whatever you were doing with no trace left on your computer. Open another instance of Firefox for private browsing if you need to copy & paste between Hotmail and another web page.

    [1] Look under "tools" on the menubar, if you're unaware of the option ... Follow your nose, it's pretty much self-documenting.

  28. Robert E A Harvey

    well, there you are then

    I created a hatemail login to reserve my name in -- ooh, 1999? -- and decided it was horrid. Then it became spam central, theft central, and they started changing it every 15 minutes.

    I have been paying for webmail from mail.com since 1997, and it just works. No spam, no security problems, reasonably straightforward technical support.

    Don't freeload off Redmond, lads and lasses. They don;t know what they are doing.

  29. Anonymous Coward
    Grenade

    Tracking Cookies

    Wouldn't it be nice if we could reply to the global superpower personally by saying f*** off.

  30. Sam Liddicott

    Double-minded corporations

    Large corporations always have conflicts of interests.

    Microsofts here is the conflict between being an OS provider and trying to provide security and opportunities to disable 3rd party cookies, etc;

    and being a service provider and media company (with bing too) where they want to take advantages or rot like 3rd party cookies.

    I'm sure that hotmail doesn't suddenly need 3rd party cookies to know you've logged out, but I'm sure part of Microsoft suddenly has a need for Windows users to start accepting 3rd party cookies, and the hotmail department is being used to "make it so".

    Sam

  31. anguslogan3
    Megaphone

    Why we write cookies to multiple domains

    Hi Chris,

    I’m the product manager for Windows Live ID. Thanks for calling this out, and I wanted to take this opportunity to outline the reason you are getting this experience. The comments above cover most of this, but here is the official word on why we write our cookies to multiple domains to:

    - Give users a good experience with single sign-on, so they can be authenticated to multiple sites (e.g. MSN, Xbox Live, Windows Live, Bing) at once without having to retype their password

    - To help protect user security, by separating the authentication cookies that are used for different services. If a cookie in one domain is compromised, it means that user assets in another domain won’t be compromised

    During sign-in, we redirect to the right domain so that the cookies can be written in first-party context. It’s only during sign-out, where we need to clear cookies from potentially many domains that we have login.live.com clearing cookies in other domains via the invisible GIF solution (more info http://msdn.microsoft.com/en-us/library/bb676640.aspx). We are actually removing cookies in this scenario, but it’s interpreted by browsers as using third party cookies.

    thx

    Angus Logan

    http://blogs.msdn.com/angus_logan

This topic is closed for new posts.

Other stories you might like