Outlook Web Access kills all authenticated sessions in IE 8

{ Posted By : Eric Cobb on November 2, 2009 }
Comments (3)
2870 Views
Related Categories: General, Rant

We ran into this bug last week and it caused us enough headache that I decided to make a quick blog post about it. It seemed pretty bizarre at first, but after figuring out what was going on, I can definitely understand why it's happening, although I do consider it a bug in IE 8.

In a nutshell, here is what we ran in to. If you have multiple tabs open in IE 8, and you log in to Outlook Web Access (Exchange Server 2007, I believe) in one of those tabs, when you log out of Outlook Web Access it will kill every session in every open tab in IE. If you have a second instance of IE open, it's not affected. It only seems to affect the instance of IE that's using Outlook Web Access.

Our particular issue was with a client that kept getting logged out of our ColdFusion application randomly throughout the day (and we knew he wasn't reaching the session timeout period). We eventually discovered that the log out was happening every time he checked his email. Once we figured out what was going on, the problem was pretty easy to replicate:

  • Open IE 8 (hold your breath if you can't stand the stench!)
  • Log in to any CF application, or do anything that sets a session variable
  • Open another tab and log in to Outlook Web Access
  • Click around in both tabs to verify everything is still working
  • Log out of Outlook Web Access
  • Check your CF application and your sessions are gone.

This doesn't seem to be a problem when using FireFox or IE 7. I haven't checked any other browsers, but I expect they would be immune as well. While I only tested the problem with our ColdFusion application, I suspect that it would affect other web languages such as PHP or ASP as well.

It took us a little research to figure out exactly why this was happening, but we finally figured out that when you log out of Outlook Web Access it calls a shell command that clears all authenticated cache throughout the entire browser, including any other open tabs you may have.

I don't know of a workaround for this yet, and as I said before I consider this to be a bug in IE 8. I'm pretty sure Microsoft doesn't give a fat happy rat's behind what I think, so they probably won't be fixing it anytime soon either.

Send | del.icio.us | Digg It! | Linking Blogs
Comments
[ Add Comment ] [ Subscribe to Comments ]
TJ Downes's Gravatar What type of authentication is being used on the OWA side, and what types of authentication does it affect for other apps?
# Posted By TJ Downes | 11/2/09 10:13 AM
Lawrence Etchells's Gravatar THANK YOU! I've been searching for this problem - assuming that it was some kind of ASP.Net cookie-related issue.

It never occurred to me that it might be something so bizarrely RETARTED as this!

Good work.
# Posted By Lawrence Etchells | 11/16/09 5:50 AM
Marius's Gravatar Not very hard to fix tough, just edig logon and logoff asp-files, and remove these lines:

document.execCommand("ClearAuthenticationCache", "false")
# Posted By Marius | 5/20/10 5:36 AM
[ Add Comment ]