Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: [SOLVED] "remember me" option timout

  1. #1
    melody is offline Active Member
    Join Date
    Jan 2007
    Posts
    32
    Rep Power
    8

    Exclamation [SOLVED] "remember me" option timout

    Hi,
    In the zimbra web client help. This statement is mentioned:
    How many hours "remember me" works is set by your administrator

    So, i wonder how can i set the time limit for this option.
    Thanks.

  2. #2
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    It should be in the Class of Service in the Web Admin UI

  3. #3
    melody is offline Active Member
    Join Date
    Jan 2007
    Posts
    32
    Rep Power
    8

    Exclamation setting "remember me time out" option

    Hi ,
    i looked into the class of service in Web Admin UI. could you please tell what is the option that sets the remember me time out?
    Thanks.

  4. #4
    AimanA is offline Active Member
    Join Date
    Jan 2007
    Location
    Rochester, NY
    Posts
    45
    Rep Power
    8

    Default

    Quote Originally Posted by melody View Post
    Hi ,
    i looked into the class of service in Web Admin UI. could you please tell what is the option that sets the remember me time out?
    Thanks.
    "Advanced" tab
    towards the bottom in "Timeout Policy"
    You want to change the "Auth Token Lifetime" I think default is 2 days (that is when you check the "remember me" box in the login)

  5. #5
    keffa is offline Active Member
    Join Date
    Mar 2007
    Posts
    42
    Rep Power
    8

    Default

    Quote Originally Posted by AimanA View Post
    "Advanced" tab
    towards the bottom in "Timeout Policy"
    You want to change the "Auth Token Lifetime" I think default is 2 days (that is when you check the "remember me" box in the login)
    Is it possible to set this setting to 0 and thereby disable the facility for people to remember their logins?

    Edit: Tried this. Doesn't work as it logs you out the moment you log in but its a good halfway marker as it allows you to remember their login for a shorter period of time which is better for those environments where the user should not be storing his or her password.
    Last edited by keffa; 03-26-2007 at 10:12 AM.

  6. #6
    AimanA is offline Active Member
    Join Date
    Jan 2007
    Location
    Rochester, NY
    Posts
    45
    Rep Power
    8

    Default

    PERSONALLY, I would definately NOT set that to zero, since the web client is publically accessible, and if someone just hits the [X] button to close their browser without logging out (say, at an internet cafe). Their login credentials will NEVER EXPIRE, and the next user who types in the name to your mailserver's zimbra frontend will have unfettered access to that users mailbox.

    That's just my opinion... and I'm a pretty security conscious dude.

    PS: that flag is days.... not seconds.

  7. #7
    keffa is offline Active Member
    Join Date
    Mar 2007
    Posts
    42
    Rep Power
    8

    Default

    Quote Originally Posted by AimanA View Post
    PERSONALLY, I would definately NOT set that to zero, since the web client is publically accessible, and if someone just hits the [X] button to close their browser without logging out (say, at an internet cafe). Their login credentials will NEVER EXPIRE, and the next user who types in the name to your mailserver's zimbra frontend will have unfettered access to that users mailbox.

    That's just my opinion... and I'm a pretty security conscious dude.

    PS: that flag is days.... not seconds.
    You can alter the flag to days, hours, minutes or seconds.

    I was actually thinking of preventing the user from storing their login details at all just like you said. In a corporate enviroment (Or indeed the public one you gave in your example) storing your login credentials is unallowable.

    I was thinking in terms of a traditional cookie where if you specify a date in the past or a date that will expire almost instantly (As in for example, 0 or 1 seconds) the cookie is removed the moment you close the browser thereby removing your stored details.

    However having just tried it its clear Zimbra logs you out the moment the duration of time is up after you have been last active so you will be instantly logged out if you set it to 0 or 1 seconds so as a stop gap measure you can set this to something like 3 hours (Which should be more than enough for someone to compose a very long email yet short enough for security reasons).

    The ultimate way to prevent it of course is to edit the HTML source code and remove the feature thereby taking the option away from the user entirely.

  8. #8
    Vimm is offline Active Member
    Join Date
    Mar 2007
    Posts
    35
    Rep Power
    8

    Unhappy Can "remember me" be disabled?

    Can the "Remember me" option be disabled? An ignorant user who didn't even know how it works howled that it makes the system insecure and now management has decreed it needs to be removed immediately.

    Yes, I'm serious. You can't make this stuff up.

  9. #9
    keffa is offline Active Member
    Join Date
    Mar 2007
    Posts
    42
    Rep Power
    8

    Default

    Quote Originally Posted by Vimm View Post
    Can the "Remember me" option be disabled? An ignorant user who didn't even know how it works howled that it makes the system insecure and now management has decreed it needs to be removed immediately.

    Yes, I'm serious. You can't make this stuff up.
    It can be edited out of the HTML code if you know what your doing. Or set to something stupid like 3 hours in the administrators settings. There is currently no feature to disable it though.

  10. #10
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    I assume you already make use of auth token & session idle timeout (in the user or COS > advanced tab > timeout policy at the bottom)
    (I take it you couldn't get management to understand the difference even.)

    To change just the text of "remember me on this computer":
    1. cd /opt/zimbra/tomcat/webapps/zimbra/WEB-INF/classes/msg (it will be in jetty in 5.0)
    2. vi ZmMsg.properties and search for 'rememberMe'
    3. vi ZhMsg.properties (for the html client)
    4. tomcat stop/start

    Now the checkbox will still be there-so you could get creative on your wording
    Or if you want to make things interesting-set the auth token and session idle timout as low as minutes or seconds for the individual user that complained-then see how fast the complaint stops when they have to login 20 times a day...

    To remove check box all together:
    1. cd /opt/zimbra/tomcat/webapps/zimbra/js (jetty instead of tomcat in 5.0)
    2. gzip -d -S .zgz Ajax_all.js.zgz
    3. Search for the following setting: _12e0.showRememberMeCheckbox=true;
    4. Change to _12e0.showRememberMeCheckbox=false;
    5. Save this File
    6. gzip -S .zgz Ajax_all.js
    7. cd /opt/zimbra/tomcat/webapps/zimbra/WEB-INF/classes/msg (jetty instead of tomcat in 5.0)
    8. vi ZmMsg.properties and search for 'rememberMe' comment this out with a # sign
    9. vi ZhMsg.properties (for the html client) again comment out 'rememberMe'
    10. tomcat stop/start or a full zmcontrol stop/start

    Personally, I'm happy with session idle timeout of 1 day (so people can't leave themselves logged in overnight.) And auth token I usually set to 3 days.

    Bugzilla request for the option to have the 'ogin 'remember me' checkbox show up or not via a setting in the admin console:
    Bug 7958 - Disable "Remember me on this computer" on login screen


    5.x directions:

    To remove the 'Check Box' next to the 'Remember Me..' text. Edit the following file:

    /opt/zimbra/jetty-6.1.5/webapps/zimbra/public/login.jsp

    All you do is remove the below lines in red from the login.jsp file

    <table width="100&#37;">
    <tr>
    <td>
    <input id="remember" value="1" type="checkbox" name="zrememberme" /></td>
    <td class="zLoginCheckboxLabelContainer"><label for="remember"><fmt:message
    key="rememberMe"/></label>
    </td>

    </tr>
    </table>

    To edit the 'Remember me....' text
    /opt/zimbra/jetty/webapps/zimbra/WEB-INF/classes/messages/ZmMsg.properties
    rememberMe = Remember me on this computer
    (or comment out I suppose)

    As a zimbra user, restart zimbra services:
    su - zimbra
    zmcontrol stop
    zmcontrol start

    or just zmmailboxdctl restart

    Make sure you backup these files prior to making these changes. These changes may not survive an upgrade.
    Last edited by mmorse; 11-14-2008 at 12:12 PM.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Do not deliver before option
    By nufan in forum Installation
    Replies: 0
    Last Post: 09-18-2008, 02:55 PM
  2. Freeze option "include shared items" ?
    By glenndm in forum Users
    Replies: 0
    Last Post: 08-07-2008, 02:20 AM
  3. [SOLVED] Remember User?
    By rickvv in forum Administrators
    Replies: 5
    Last Post: 10-08-2007, 06:16 PM
  4. [SOLVED] remember login
    By freshfitz in forum Administrators
    Replies: 7
    Last Post: 08-14-2007, 04:24 AM
  5. Replies: 1
    Last Post: 03-21-2007, 11:18 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •