So I'm not sure if this is a known bug, or what.
Our Zimbra OSE is setup to auth against our Active Directory domain. I've kept the default parameters for cookies as it seemed to be a good idea. Turns out, it was not working how I thought.
A person left the company recently, and as such I changed their password. The account was not disabled for our own reasons (intentional). However, the password change did not invalidate previous cookies. As such the person was able to access their email. Fortunately they didn't do anything malicious, they just sent out a farewell email.
I've set the parameter to log users out when they close a tab, but this still is concerning.
Anyways, just a PSA on this one. Stay safe!