Web Client Login Security

**mek** · 03-30-2010, 05:37 AM

This relates to the fact that my company has a lot of remote workers. Security concerns have been raised around someone just going into a business centre at a hotel and then leaving themselves logged into Zimbra with the web client in the history. These type of users are unlikely to respond to training in this area and as long as the window is open for people to be able to do this, it's going to be a problem.

I have it set so that if someone tries to browse away or close the browser they will receive the warning so they can logout.

What I'm wondering is does anyone else have another way to deal with this problem. I would put the server on the VPN so that you have to access it that way but that's going to create problems with those picking up mail with cellphones. The same apples to just allowing access for IP ranges or MAC addresses.

Any thoughts welcomed. The only one I have so far is Mojopac

**bdial** · 03-30-2010, 07:39 AM

why not set the zimbraMailIdleSessionTimeout for your users?

**mek** · 03-30-2010, 07:43 AM

I thought about this also, the default is 2 days I believe?

The only issue I could think here would be that it would be pretty annoying if you use the Web Client as your main interface it's constantly expiring your session.

There is perhaps a happy medium in there though, thanks a lot for your input.

**uxbod** · 03-30-2010, 07:54 AM

Well you have got me thinking about this ... perhaps another approach would be to check the active sessions and if you know somebody should not be logged in at a certain time you could flag it. You can get a list of them using

Code:

su - zimbra
zmsoap -z -t admin GetSessionsRequest @type=soap

**mek** · 03-30-2010, 08:01 AM

That sounds like I a lot of overhead to have to keep checking on that though. With a lot of people in a lot of different countries it's going to be a nightmare to know when people are supposed to be logged on or not.

Doesn't that command only apply to admin users? I'm talking about the standard users here, the admins are no problem

**uxbod** · 03-30-2010, 08:04 AM

The 'admin' means you are making a call to the Admin SOAP interface to get the details. I was just thinking whether there was a way to capture sessions that have been logged in for a long time and disconnect them automatically.

**mek** · 03-30-2010, 08:13 AM

Ah alright. Thanks

Zimbra

Thread: Web Client Login Security

LinkBack

Thread Tools

Search Thread

Display

Web Client Login Security

Thread Information

Users Browsing this Thread

Similar Threads

Limit web client login to lan

Zimbra Mobile Web Client questions

Mobile web client accessible by URL, not from login screen

Problem after change the Web mail client port number

Posting Permissions