Issues Logging Off in Outlook Web Access on Firefox & Google Chrome

I have an Windows Small Business Server 2003 with Exchange 2003 (6.5) SP2 and when accessing Outlook Web Access from Internet Explorer the log off feature works fine. But when I access it from Google Chrome or Firefox and click the log off button then go back to the access page it is already logged in with the same user. I assume its just an incompatibility between Exchange and these other web browsers. But is there a patch to fix this? I don't want my users to be logged in still if they use a public computer.

Thanks!
Dan
LVL 1
filtrationproductsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gikkelCommented:
That doesnt seem normal...I tried to recreate from Firefox, Chrome, and Safari.  The only difference with those browsers is that when you click back, the user name remains.  The password shouldn't be saved and you definitely shouldn't be logged in.  Are you sure the account remains active?
0
filtrationproductsAuthor Commented:
Yes, If i log out I get the one window that tells you to click the close button and exit your browser to complete the log off. But when you click the Close button nothing happens in Firefox and Chrome. When in IE it will prompts you to close the browser. But even if i do not do that and go back to the domain.com/exchange page to log in (when in IE) It still re prompts me for a user name and password. In Chrome and Firefox it just goes right back into the Inbox like you never logged off.

Does this make sense?
0
gikkelCommented:
I really don't think that is normal...when you press logoff, it should just logoff and return to the exchange login page.  Is your site setup to require SSL? (https://)   Is your server up to date?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

filtrationproductsAuthor Commented:
The site is not setup for SSL

The server is up to date on SP's
0
filtrationproductsAuthor Commented:
I can connect with SSL (self signed) but it still does the same thing. I press log off then click back or go to domain.com/exchange and its back in the Inbox
0
MesthaCommented:
Are you seeing the forms based authentication page?
If not then you are not using cookie control, so this behaviour is to be expected.
FBA is only available through SSL and should be enabled by default.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MesthaCommented:
Oh and service packs being up to date is not enough. You need to run Microsoft Update and the SBS Best Practises tool to ensure that you have all relevant updates.

Simon.
0
gikkelCommented:
OWA authentification is session based.  You must require SSL for users to be forced logged off after closing.  Since your logoff button isn't working correctly, I'm thinking our differences are because you require the logoff warning (to verify, view source when logged into owa, see if var G_fWarnOnLogOff=true)...and that may be the firefox/chrome issue.  
0
filtrationproductsAuthor Commented:
It says False. See below.
<SCRIPT language="JavaScript">
var g_iNewWindowWidth = 700;
var g_iNewWindowHeight = 500;
var g_fWarnOnLogOff=false;
function WarnOnLogOff()
{
if (g_fWarnOnLogOff)
alert("To help protect your mailbox from unauthorized access, close all browser windows when you finish using Outlook Web Access.");
}
</SCRIPT>

Open in new window

0
filtrationproductsAuthor Commented:
Mestha:
The server is up to date using automatic updates.

I am running the exchange best practices tool and the only 3 issues that came back were;

1. global incoming message size not set
2. global outgoing message sie not set
3. WMI access is not possible
0
filtrationproductsAuthor Commented:
I turned on Form Based Authentication under Exchange Service Manager / DOMAIN / SERVERS / DOMAIN / PROTOCOLS / HTTP / EXCHANGE VIRTUAL SERVER / PROPERTIES / SETTINGS

I tried logging in again with each web browser and they all still behaved the same way.
0
filtrationproductsAuthor Commented:
I found this on msexchange.org (which verify's everything you guys are saying) I don't understand why Microsoft would design something that is by default such a security issue.

"In addition to this, Outlook Web Access authentication is generally session based. This means if you do not logoff and close your browser you remain logged in. Especially in public web access areas where users are unable to close the browser window it becomes quite easy for other users to read and send emails in the name of a company user."

Then they go on to say after you create a SSL certificate and turn on form authentication you will still have the same effect and that the only difference now is there will be a default timeout time of 10 minutes and emails are no longer sent in clear text.

I don't see that as anymore secure. I worry more about someone clicking the back button into my email inbox than someone scanning traffic and reading emails that are sent in clear text...
0
filtrationproductsAuthor Commented:
Is there a script or something someone could add to that button code so when the logoff button is clicked the connection is completely disconnected?
0
filtrationproductsAuthor Commented:
There we go!

Just like you guys said I configured it to force SSL use, I enabled Form Based Authentication on the Exchange directory in IIS, stopped and started the IIS directory then it started working like I want.

Thanks guys!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.