Forms-based authentication uses cookies to identify the user session. The cookies that are used by forms-based authentication automatically expire if the user is inactive for too long. The default time-out period when a user selects the This is a public or shared computer option on the Outlook Web Access logon page is 15 minutes. The default time-out period when a user selects the This is a private computer option on the Outlook Web Access logon page is twelve hours. These settings can be configured to comply with the requirements of your organization.

When the user logs off from the session, the cookie expires on the server so that it cannot be used again. Because this expiration relies on the Exchange server, it works regardless of the Web browser that is being used.

If Outlook Web Access has been configured to use Basic authentication, the Web browser will cache the user credentials for reuse with every request from the client computer. When the user logs off, the logoff operation instructs the Web browser to clear the credentials cache on the client computer. This only works in Internet Explorer 6 and later versions.

By default, Outlook Web Access is configured to use forms-based authentication. Forms-based authentication is more secure than Basic authentication.

Dynamic content includes message content, the mailbox folder hierarchy, and other items that may change while the user is logged on to Outlook Web Access. The Web browser functionality that displays dynamic content cannot be controlled by Microsoft Exchange. However, risk is reduced, as follows:

• Outlook Web Access instructs the Web browser to never cache any dynamic content that it displays to the user. This means that the information will not be stored on the disk cache. However, information may be stored in memory.
  
  
• When the user closes the Web browser, as instructed on the Outlook Web Access logoff page, any data that is cached in memory is removed.
  
  

By default, Outlook Web Access is configured to use Secure Sockets Layer (SSL) encryption. This provides additional security. When you install the Client Access server role on a computer that is running Exchange 2007, a self-signed SSL certificate is installed. You can use this certificate or obtain one from a third party. HTTP standards require Web browsers not to cache any SSL content to disk. However, not all Web browsers may follow this standard. Internet Explorer does not cache SSL content.

Static content includes scripts and images that are used by Outlook Web Access, for example, toolbar icons. Static content is cached on the disk of the client computer. Outlook Web Access does not instruct the Web browser to delete static content when the user logs off. This helps Outlook Web Access to load faster the next time that the user logs on by using that same computer. The static content does not in any way identify the user or the user's organization.

Attachments can be especially sensitive. In earlier versions of Microsoft Exchange, attachments could be viewed only by opening them on the client computer. To do this, a temporary copy of the file was created in a temporary folder, and then the application that could display the file was started. This process created an operation on the client computer that was separate from the Outlook Web Access session.

Outlook Web Access in Exchange 2007 supports WebReady Document Viewing, which enables users to view the most common file types. Outlook Web Access users can use WebReady Document Viewing to display attachments as HTML files. This provides the same protection for attachments as for any other dynamic content.

Exchange 2007 SP1

Exchange 2007 Service Pack 1 (SP1) supports S/MIME encryption. S/MIME encryption helps protect attachments and the message body. In addition, any file content that is cached on the disk is overwritten multiple times. S/MIME encryption is supported in Microsoft Exchange Server 2003 and in Exchange 2007 SP1. However, S/MIME encryption is not supported in the original release (RTM) version of Exchange 2007.