Admin_Stooge
asked on
How to fix following OWA / Password Flaw?
Scenario
Employee logs into Webmail, say at a hotel kiosk
Employee selects "private computer" as an option
Employee finishes work and leaves hotel
Employee remembers they left kiosk without logging out
Employee knows that typing "https://web" may or will autocomplete with full TMO Webmail address
Employee suspects (which is true) persistent cookie will show then as logged in.
Employee sets up their laptop, logs into VPN, changes Outlook password.
HOWEVER, Webmail will still show them as logged in, password change on network does not affect current login, at least not in a short period of time.
Employee logs into Webmail, say at a hotel kiosk
Employee selects "private computer" as an option
Employee finishes work and leaves hotel
Employee remembers they left kiosk without logging out
Employee knows that typing "https://web" may or will autocomplete with full TMO Webmail address
Employee suspects (which is true) persistent cookie will show then as logged in.
Employee sets up their laptop, logs into VPN, changes Outlook password.
HOWEVER, Webmail will still show them as logged in, password change on network does not affect current login, at least not in a short period of time.
ASKER
I agree, that aspect is pretty straight forward, I am curious about the password change reference and how it relates
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As per the URL:
Configuring Forms-Based Authentication for Outlook Web Access
http://technet.microsoft.com/en-us/library/bb123719(EXCHG.80).aspx
Recycle time for authentication key if you use the default time-out value ...for a private logons....4 hours
If you really need to change the values...you can do by registries (is that really needed?)