Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

How do you Logout of SharePoint?!

  Asked By: Demarco    Date: Mar 14    Category: Sharepoint    Views: 6628

This seems like a huge security issue.

Additionally, where can I configure a timeout on the user session? Is
it at the Web Server level?



15 Answers Found

Answer #1    Answered By: Donta Kirkland     Answered On: Mar 14

I disagree as well, if your so worried about security risks then why
aren't your users locking there workstations? Even if SharePoint did
have a logout  feature, it doesn't have a login feature, which in my
option is an excellent design for an Intranet...........why not just use
the credentials of the logged in user. They already logged into Windows
so why have them login again to an internal website?

If your users locked their workstations this wouldn't be an issue!

Answer #2    Answered By: Cade Velazquez     Answered On: Mar 14

As mentioned in an earlier post, this problem is with the Extranet.
Not Intranet.

Answer #3    Answered By: Ariana Christensen     Answered On: Mar 14

Of course users won't lock their workstations, they never do, however
blaming them for that will not work either.

What I have seen work is this: Make it a corporate policy that users should
lock their workstations. If they don't, then the company is off the hook
for liability and no one will sue a user unless there is a blatent intent to
profit from an action.

Simple, effective to the goal, easy to implement. Corporate policy makers
understand the game. Policy is all about reducing liability for the
corporation, not real life.

I have seen something like this: "Users should log off or lock their
computer workstations when they leave the office or provide other security
as appropriate to protect confidential information."

Answer #4    Answered By: Darrius Whitfield     Answered On: Mar 14

Beyond this, do you have any suggestions for literally "logging out"
and "timing out" of an Extranet portal?

As we all know, enforcing security is a function of many layers...
intranet user desktop is one, policies are also another, there are
definitely more that I would expected someone out there to cover.

Answer #5    Answered By: Adrienne Greene     Answered On: Mar 14

I believe that these are settings in IIS.

Answer #6    Answered By: Joshuah Huber     Answered On: Mar 14

Don't forget, you're not just talking about SharePoint here. If users
don't have to lock there workstations, then someone else can also access
any network files or Emails that are on an un-locked workstation. There
is no logout  for Outlook and look how much confidential Comany info is
keep there, same thing for network drives.........even local files (none
of those sources of "private data" have logout features).

I really don't think this is SharePoint issue but rather an over all
corporate security policy, like Ed suggests.

Answer #7    Answered By: Ciara Collier     Answered On: Mar 14

I agree with your points, but here are some additional considerations.

1. email is one of the biggest security threats... not only is the
smtp protocol subject to risk, simple usage of an email client like
Outlook is a risk because of the way people use it. Locking
workstations, password protecting files, corporate policy, etc. are
all part of the layers of security needed.

2. So far, our discussion has been around Intranet implementations
which are far easier to manage than Extranet. Can anybody comment on
their Extranet implementations?

Answer #8    Answered By: Keenan Whitehead     Answered On: Mar 14

I think that is the problem, SharePoint was never meant to be an

with that said, I know people do try to use it that way and the only
thing I think you can do is add a logout  button that closes the browser,
however, again it is up to the user, since any user that doesn't want to
login to the Extranet can add it to their Intranet zones and then won't
be prompted to login. You can't stop user from being lazy, I see people
save there online bank passwords. So if Bank of America can't stop
un-authorized users from logging into another persons account (because
the user choose to have windows save their password) then I don't think
you can make SharePoint any more secure than it already is.

Answer #9    Answered By: Peter Peterson     Answered On: Mar 14

I am a bit surprised that any given 'portal' solution is not intended
to serve the Extranet or INTERnet. There seems to be quite a bit of
conversation if you google "sharepoint extranet portal".

Most of the conversation seems to point to using SharePoint in
conjunction with ISA Server. Does anybody know anything about this,
or another Extranet infrastructure/application configuration?

Even Bank of America provides a simple feature to Log Out, or in
otherwords, kill your session. It is the one, of many layers,
required to secure your solution.

It is my opinion, that one should explore all layers of security and
do your best to secure each layer. To that end, at the application
layer, the application should be able to kill a user session.
Ignoring that and leaving security up to the remaining layers seems

Answer #10    Answered By: Damon Garner     Answered On: Mar 14

First, SharePoint was designed for Intranets. Second, it works with Extranets, with special caution.

The primary issues w/ SharePoint as it relates to an Extranet scenario are account management and session expiration. Account management is difficult because there are no good built in ways to manage a password expiration… but that can be handled with special code. There are also things like lost password and other generally messy issues that can used to be sorted out.

The session expiration problem is actually a fundamental problem with the way that web browsers work. Because HTTP is stateless and because the requests can sometime need to be reauthenticated … the browser automatically resubmits my credentials on every request to the same server and port – so long as I don’t close the browser. Once I close the browser I am typically, but not always, prompted to reenter my credentials before the browser starts blindly handing it out for any URL on the server.

Because SharePoint doesn’t have a forms based login mechanism out of the box, we’re stuck with HTTP based authentication and it’s limitations. There are ways to work around this – mostly by using ISA as an intermediary. Basically, you have to make SharePoint still believe it’s working with HTTP based authentication. The good news is that once you put in the infrastructure to do the form based authentication … password management gets a lot easier.

If you are interested, I compiled a list of risks and types of deployments from this list and other sources… it’s a grid that is a few pages in length… I’ll send it to anyone who wants to look at it – I’ve avoided posting it to the list because I hate it when people send attachments to lists.

Answer #11    Answered By: Christop Mcfadden     Answered On: Mar 14

and even bank of america wrote thier own software.

session timeouts are configurable!!

If you dont like session time out and would rather a user be trained to "clicky clicky" on some logout  button, then crack open visual studio and make it, or just download sig's logoff web part from www.asaris.de/.../Logoff.zip


and as for your google results coming up with ISA server, my interpretation is that they reccomend that you have a firewall between the internal/external side. we use openbsd's PF and cisco firewalls along with Apache's mod_proxy.

Answer #12    Answered By: Harshita Padwal     Answered On: Mar 14

We already have begun designing the use cases for: login, logout,
account lockout, change password, etc.

I just assumed somebody in this group has done it for an Extranet
implementation already. I have to admit that I am a bit shocked to
hear that Portal was not intended to be part of an Extranet.

Answer #13    Answered By: Jennifer Jones     Answered On: Mar 14

In "my" perfect world, there wouldn't be extranet's but rather Intranets
for the "employees" and Internets for the "public". Back when I was a
network admin, if someone would have ask me to take a network share and
"share it out" to the public (anyone not on our network) I would have
said, "yeah right.......get a clue" but times are a changing and I guess
we need to change with them.

Anyway, getting off my soap box, Microsoft has made many changes to the
"next" version of SharePoint and from what I hear, there will be a lot
more support for Extranet implementations.

Answer #14    Answered By: Annie Norris     Answered On: Mar 14

I understand your viewpoint. Extranet complicates many aspects of

For better or worse (I generally feel for the better), we want and
need to integrate, colloborate, or otherwise leverage collective
thoughts and efforts from individuals that cross many real-life
boundries (ie. companies, countries, organizations).

The fact is, those who remain on their own island of business and
technology lose out on the brain-power that is outside of their

That's my soap box for today.

Answer #15    Answered By: Damon Garner     Answered On: Mar 14

Why not just implement the auto lock screen saver option in the user policy management? That’s the way we do it. If there isn’t any activity within 5-10 minutes then the screen saver comes on and requires them to re-authenticate when they are back at their workstation.

Didn't find what you were looking for? Find more on How do you Logout of SharePoint?! Or get search suggestion and latest updates.