Quote:
Originally Posted by AimanA  PERSONALLY, I would definately NOT set that to zero, since the web client is publically accessible, and if someone just hits the [X] button to close their browser without logging out (say, at an internet cafe). Their login credentials will NEVER EXPIRE, and the next user who types in the name to your mailserver's zimbra frontend will have unfettered access to that users mailbox.
That's just my opinion... and I'm a pretty security conscious dude.
PS: that flag is days.... not seconds. |
You can alter the flag to days, hours, minutes or seconds.
I was actually thinking of preventing the user from storing their login details at all just like you said. In a corporate enviroment (Or indeed the public one you gave in your example) storing your login credentials is unallowable.
I was thinking in terms of a traditional cookie where if you specify a date in the past or a date that will expire almost instantly (As in for example, 0 or 1 seconds) the cookie is removed the moment you close the browser thereby removing your stored details.
However having just tried it its clear Zimbra logs you out the moment the duration of time is up after you have been last active so you will be instantly logged out if you set it to 0 or 1 seconds so as a stop gap measure you can set this to something like 3 hours (Which should be more than enough for someone to compose a very long email yet short enough for security reasons).
The ultimate way to prevent it of course is to edit the HTML source code and remove the feature thereby taking the option away from the user entirely.