If the user, when he creates his/her account, is told that the account name is already in use they are given a choice of names from which to choose from. (this web page is stored in the Temporary Internet Files directory). If you view the source of this web page one o f the "hidden" input values is their clear text password. (If you do view the source btw, the page is stored in a cache sub-directory off of the Temporary Internet Files directory. )Now this is all very fine and well; however if the source is not viewed n o file is stored in the cache directory and adduser.cgi, the file in the Temporary Internet Files directory, is inaccessible added to the fact that the next page in sequence is also called adduser.cgi and so the file with the clear text password is over- written.

So :-
1) if you have access to that user's computer and
2) if their preferred userID is already in use and
3) if, for some reason, they have viewed the source whilst the "name in use" page is open and
4) you know the ID they eventu ally choose and
5) they haven't changed the password

you can open the cache subdir and look for adduser.htm and get their password....

To see this in action try creating an account with hotmail called "jsmith"
*********************************** ***************************
Now as far as gaining access to an account when the user is still logged in :

This is only possible if you connect using the same IP address. (IP spoofing here doesn't work because TCP communications require a three way ha ndshake - and this is only possible if the remote server knows your IP address to establish this link)

Here are some facts about hotmail user authentication -

1) When you log in a cookie is attached to your broswer by the server. (There is no expiry d ate on this cookie - quite important) The cookie takes the following form :
48135d83bb154941315cdd13e3742a26

2)This cookie persists and it's value is issued with each GET and POST browser request.

3)If you close down the browser the cookie disappea rs. If you are still attached to the net (in other words if your IP address is still the same - this only affects people with dynamically assigned IP addresses) and have not logged out of Hotmail you can then reopen the broswer and open the following sit e :

http://207.82.250.251/cgi-bin//start/username

With every GET and POST browser request there is no sign of the cookie.

4) If you login and are assigned a cookie then log out of the Net (leaving your browser open though) and then log back in and h ave a new IP address you can no longer access your Hotmail account

So from these 4 points (as viewed thru a sniffer, btw)
we can deduce 2 things -

1) The cookie does bugger all really.

2) When you log in your IP address is logged and is associate d with that login session.

So, there are ways around Hotmail's security procedures...it just you have to be very lucky to be able to exploit them ;-)