1.Click on www.hotmail.com and then log into your account with the correct username and password. 2.Once logged in to your account - sign-out (ie log out as per your will). 3.Expected result(after log out)-The back button on the browser or a hotmail link on the page should not let you display the page from your personal email account. 4.Actual result :With the back button or the hotmail link on the logged out page lands you into your hotmail account (as if you logged in), and you can surf all your private mail account page which you navigated thru in one session by clicking on back button one by one.(maybe this is history bug ?).Tested on 4.75 - does not occur.

nav triage team: Steve: can you look at this. sounds serious.

-> All/All (2000122504 Win98), cc mstoltz. IE has the same behavior, and I think it's correct unless Hotmail is sending some kind of hint that you shouldn't be able to go back to the page (no-cache?).

I was able to reproduce this when it was first assigned to me, but now I can't even get psm to work (this site requires psm). I just tried it on ie and Jesse Ruderman is correct -- it behaves the same way as mozilla and brings up the page after you've logged out. But ns4 does not and I currently have no idea why. Can't investigate any further until I get psm to work.

PSM is now working for me and I was able investigate further. I captured the traffic that was sent back from the site starting from the time that the login form was subitted. I'll attach the log file. Note that although some of the first replies from the site have "Pragma: no-cache", the reply that actually contains the display of the users mailbox does not. So it seems to me that the browser (both mozilla and IE5) are behaving correctly by caching it in the session history and having it reappear when the user hits the back button after he has logged out. What I can't understand is why 4.x doesn't redisplay the users mailbox under the same conditions. Although 4.x's behavior is more reasonable from a security point of view, it may be that the only reason 4.x didn't cache it was due to some bug in 4.x. Bottom line is that I believe that the problem is in the hotmail server in that they didn't send a "no-cache" when they delivered the page that contains the users mailbox. Therefore marking this as invalid. If anyone has any information to contradict my conclusion, please post it here and reopen the bug report.

Oops, ignore above attached log, it was the wrong one. I'll attach the correct one this time.

mass-verifying Invalid bugs which haven't changed since 2001-12-31. use the search string "PinballWizard" if you want to filter out this msg.