Preauth: Block cookie?

[erulabs]

Hello,

I've been working on a simple ZMS administration interface for our Customer Support department, and one of the big issues is the way the "view mail" system works. Using the offical Admin interface or my own hand-crafted SOAP interface, using preauth (clicking "view mail" in the Admin interface) ships the browser to a URL such as "http://webmail.example.com/service/preauth?authtoken=", in which the HTTP header:

Set-Cookie: ZM_AUTH_TOKEN=MY_REALLY_LONG_AUTH_STRING;Path=/


appears. My issue is this: Many of my support agents use a single browser intance to do their jobs (ie, Firefox with many tabs, etc). When this "view mail" action happens, it kills their currnet cookie with the mail server, thus, logging them out of their own mail instance.

The best solution here is to somehow tell preauth not to set a cookie, but rather just to set a session. If this isnt poissible due to the backend of Zimbra, possibly one could mangle the _name_ of the cookie?


Thanks for all your help ahead of time. As usual, I will post here if I manage to figure this out myself.


- Seandon Mooy

[erulabs]

I'm going to impliment something terrible... What I've done is altered my script to collect the ZM_AUTH_TOKEN, and keep it in a session. Then, the user it forwarded to Zimbra, delegates into the new user and gets a new ZM_AUTH_TOKEN. When the user is done, they click the "logout" button in zimbra, which forwards them to another script, which restores the users cookie for the session.

This is a terrible way of doing things, and its only a fix for my scripts, not for the Zimbra main interface.

[KANT]

Hi,

I just read your post, and i'm having something similir when i connect my zimbra with CAS to have a SSO.

Could you plese tell me what did you do to correct the problem in your script? i check login.jsp and i see about you said.

I also have to say that i'm actually checking the Zimbra 6 version and the problem is still the same.

Thanks for all