Hotmail imposes tracking cookies for logout
And where do you think you're going?
Hotmail users are now unable to log out of their account if the browser they are using does not accept third party cookies.
The move by Microsoft raises security concerns, particularly as PCs on corporate networks and in cybercafes and libraries are often set to reject cookies.
The error screen* that greets users who try to log out tells them they must re-enable third party cookies or close every browser window.
Third party cookies are most commonly used by advertising networks to track surfers across the web.
We've asked Microsoft what is behind its demand they are enabled, and whether it's considered the potential security implications. We'll update this story when it gets back to us.
Thanks to Reg reader Phil for spotting the change. ®
*Complete with typo.
Why we write cookies to multiple domains
I’m the product manager for Windows Live ID. Thanks for calling this out, and I wanted to take this opportunity to outline the reason you are getting this experience. The comments above cover most of this, but here is the official word on why we write our cookies to multiple domains to:
- Give users a good experience with single sign-on, so they can be authenticated to multiple sites (e.g. MSN, Xbox Live, Windows Live, Bing) at once without having to retype their password
- To help protect user security, by separating the authentication cookies that are used for different services. If a cookie in one domain is compromised, it means that user assets in another domain won’t be compromised
During sign-in, we redirect to the right domain so that the cookies can be written in first-party context. It’s only during sign-out, where we need to clear cookies from potentially many domains that we have login.live.com clearing cookies in other domains via the invisible GIF solution (more info http://msdn.microsoft.com/en-us/library/bb676640.aspx). We are actually removing cookies in this scenario, but it’s interpreted by browsers as using third party cookies.
Large corporations always have conflicts of interests.
Microsofts here is the conflict between being an OS provider and trying to provide security and opportunities to disable 3rd party cookies, etc;
and being a service provider and media company (with bing too) where they want to take advantages or rot like 3rd party cookies.
I'm sure that hotmail doesn't suddenly need 3rd party cookies to know you've logged out, but I'm sure part of Microsoft suddenly has a need for Windows users to start accepting 3rd party cookies, and the hotmail department is being used to "make it so".
@Just close it #
"Sorry if I am being stupid (I do not have a Hotmail Account) ..."
If you don’t have a Hotmail account, you can’t be all that stupid.