[SOLVED] "remember me" option timout

[melody]

Hi,
In the zimbra web client help. This statement is mentioned:
How many hours "remember me" works is set by your administrator

So, i wonder how can i set the time limit for this option.
Thanks.

[jholder]

It should be in the Class of Service in the Web Admin UI

[melody]

Hi ,
i looked into the class of service in Web Admin UI. could you please tell what is the option that sets the remember me time out?
Thanks.

[AimanA]

Quote:

Originally Posted by melody

Hi ,
i looked into the class of service in Web Admin UI. could you please tell what is the option that sets the remember me time out?
Thanks.

"Advanced" tab
towards the bottom in "Timeout Policy"
You want to change the "Auth Token Lifetime" I think default is 2 days (that is when you check the "remember me" box in the login)

[keffa]

Quote:

Originally Posted by AimanA

"Advanced" tab
towards the bottom in "Timeout Policy"
You want to change the "Auth Token Lifetime" I think default is 2 days (that is when you check the "remember me" box in the login)

Is it possible to set this setting to 0 and thereby disable the facility for people to remember their logins?

Edit: Tried this. Doesn't work as it logs you out the moment you log in but its a good halfway marker as it allows you to remember their login for a shorter period of time which is better for those environments where the user should not be storing his or her password.

[AimanA]

PERSONALLY, I would definately NOT set that to zero, since the web client is publically accessible, and if someone just hits the [X] button to close their browser without logging out (say, at an internet cafe). Their login credentials will NEVER EXPIRE, and the next user who types in the name to your mailserver's zimbra frontend will have unfettered access to that users mailbox.

That's just my opinion... and I'm a pretty security conscious dude.

PS: that flag is days.... not seconds.

[keffa]

Quote:

Originally Posted by AimanA

PERSONALLY, I would definately NOT set that to zero, since the web client is publically accessible, and if someone just hits the [X] button to close their browser without logging out (say, at an internet cafe). Their login credentials will NEVER EXPIRE, and the next user who types in the name to your mailserver's zimbra frontend will have unfettered access to that users mailbox.

That's just my opinion... and I'm a pretty security conscious dude.

PS: that flag is days.... not seconds.

You can alter the flag to days, hours, minutes or seconds.

I was actually thinking of preventing the user from storing their login details at all just like you said. In a corporate enviroment (Or indeed the public one you gave in your example) storing your login credentials is unallowable.

I was thinking in terms of a traditional cookie where if you specify a date in the past or a date that will expire almost instantly (As in for example, 0 or 1 seconds) the cookie is removed the moment you close the browser thereby removing your stored details.

However having just tried it its clear Zimbra logs you out the moment the duration of time is up after you have been last active so you will be instantly logged out if you set it to 0 or 1 seconds so as a stop gap measure you can set this to something like 3 hours (Which should be more than enough for someone to compose a very long email yet short enough for security reasons).

The ultimate way to prevent it of course is to edit the HTML source code and remove the feature thereby taking the option away from the user entirely.

[Vimm]

Can the "Remember me" option be disabled? An ignorant user who didn't even know how it works howled that it makes the system insecure and now management has decreed it needs to be removed immediately.

Yes, I'm serious. You can't make this stuff up.

[keffa]

Quote:

Originally Posted by Vimm

Can the "Remember me" option be disabled? An ignorant user who didn't even know how it works howled that it makes the system insecure and now management has decreed it needs to be removed immediately.

Yes, I'm serious. You can't make this stuff up.

It can be edited out of the HTML code if you know what your doing. Or set to something stupid like 3 hours in the administrators settings. There is currently no feature to disable it though.

[mmorse]

I assume you already make use of auth token & session idle timeout (in the user or COS > advanced tab > timeout policy at the bottom)
(I take it you couldn't get management to understand the difference even.)

To change just the text of "remember me on this computer":
1. cd /opt/zimbra/tomcat/webapps/zimbra/WEB-INF/classes/msg (it will be in jetty in 5.0)
2. vi ZmMsg.properties and search for 'rememberMe'
3. vi ZhMsg.properties (for the html client)
4. tomcat stop/start

Now the checkbox will still be there-so you could get creative on your wording
Or if you want to make things interesting-set the auth token and session idle timout as low as minutes or seconds for the individual user that complained-then see how fast the complaint stops when they have to login 20 times a day...

To remove check box all together:
1. cd /opt/zimbra/tomcat/webapps/zimbra/js (jetty instead of tomcat in 5.0)
2. gzip -d -S .zgz Ajax_all.js.zgz
3. Search for the following setting: _12e0.showRememberMeCheckbox=true;
4. Change to _12e0.showRememberMeCheckbox=false;
5. Save this File
6. gzip -S .zgz Ajax_all.js
7. cd /opt/zimbra/tomcat/webapps/zimbra/WEB-INF/classes/msg (jetty instead of tomcat in 5.0)
8. vi ZmMsg.properties and search for 'rememberMe' comment this out with a # sign
9. vi ZhMsg.properties (for the html client) again comment out 'rememberMe'
10. tomcat stop/start or a full zmcontrol stop/start

Personally, I'm happy with session idle timeout of 1 day (so people can't leave themselves logged in overnight.) And auth token I usually set to 3 days.

Bugzilla request for the option to have the 'ogin 'remember me' checkbox show up or not via a setting in the admin console:
Bug 7958 - Disable "Remember me on this computer" on login screen


5.x directions:

To remove the 'Check Box' next to the 'Remember Me..' text. Edit the following file:

/opt/zimbra/jetty-6.1.5/webapps/zimbra/public/login.jsp

All you do is remove the below lines in red from the login.jsp file

<table width="100%">
<tr>
<td>
<input id="remember" value="1" type="checkbox" name="zrememberme" /></td>
<td class="zLoginCheckboxLabelContainer"><label for="remember"><fmt:message
key="rememberMe"/></label>
</td>
</tr>
</table>

To edit the 'Remember me....' text
/opt/zimbra/jetty/webapps/zimbra/WEB-INF/classes/messages/ZmMsg.properties
rememberMe = Remember me on this computer
(or comment out I suppose)

As a zimbra user, restart zimbra services:
su - zimbra
zmcontrol stop
zmcontrol start

or just zmmailboxdctl restart

Make sure you backup these files prior to making these changes. These changes may not survive an upgrade.