<div>
By default the Private logon will have a longer *working/active* hours without refering back to the servers.<br />
<br />
As per the URL:<br />
Configuring Forms-Based Authentication for Outlook Web Access<br />
<a href="http://technet.microsoft.com/en-us/library/bb123719(EXCHG.80).aspx" rel="ugc">http://technet.microsoft.com/en-us/library/bb123719(EXCHG.80).aspx</a><br />
<br />
Recycle time for authentication key if you use the default time-out value ...for a private logons....4 hours<br />
<br />
If you really need to change the values...you can do by registries (is that really needed?)
</div>


By default the Private logon will have a longer *working/active* hours without refering back to the servers.

As per the URL:
Configuring Forms-Based Authentication for Outlook Web Access
http://technet.microsoft.com/en-us/library/bb123719(EXCHG.80).aspx [http://technet.microsoft.com/en-us/library/bb123719(EXCHG.80).aspx]

Recycle time for authentication key if you use the default time-out value ...for a private logons....4 hours

If you really need to change the values...you can do by registries (is that really needed?)

<div>
I agree, that aspect is pretty straight forward, I am curious about the password change reference and how it relates 
</div>


I agree, that aspect is pretty straight forward, I am curious about the password change reference and how it relates

<div>
<div class="content wysiwyg-content">
<b>Scenario</b><br />
<br />
Employee logs into Webmail, say at a hotel kiosk<br />
<br />
Employee selects &quot;private computer&quot; as an option<br />
<br />
Employee finishes work and leaves hotel<br />
<br />
Employee remembers they left kiosk without logging out<br />
<br />
Employee knows that typing &quot;<a href="https://web" rel="ugc">https://web</a>&quot;&nbsp;may or will autocomplete with full TMO Webmail address<br />
<br />
Employee suspects (which is true) persistent cookie will show then as logged in.<br />
<br />
Employee sets up their laptop, logs into VPN, changes Outlook password.<br />
<br />
HOWEVER, Webmail will still show them as logged in, password change on network does not affect current login, at least not in a short period of time.
</div>
</div>


Scenario

Employee logs into Webmail, say at a hotel kiosk

Employee selects "private computer" as an option

Employee finishes work and leaves hotel

Employee remembers they left kiosk without logging out

Employee knows that typing "https://web" may or will autocomplete with full TMO Webmail address

Employee suspects (which is true) persistent cookie will show then as logged in.

Employee sets up their laptop, logs into VPN, changes Outlook password.

HOWEVER, Webmail will still show them as logged in, password change on network does not affect current login, at least not in a short period of time.

How to fix following OWA / Password Flaw?

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Exchange

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

SSL / HTTPS

Microsoft Outlook is a personal information manager from Microsoft, available as a part of the Microsoft Office suite. Although often used mainly as an email application, it also includes a calendar, task manager, contact manager, note-taker, journal, and web browser.