maybe bug - cookies not invalidated by password change - auth vs active directory

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
BloodyIron
Advanced member
Advanced member
Posts: 67
Joined: Sat Sep 13, 2014 2:58 am
Contact:

maybe bug - cookies not invalidated by password change - auth vs active directory

Post by BloodyIron »

So I'm not sure if this is a known bug, or what.
Our Zimbra OSE is setup to auth against our Active Directory domain. I've kept the default parameters for cookies as it seemed to be a good idea. Turns out, it was not working how I thought.
A person left the company recently, and as such I changed their password. The account was not disabled for our own reasons (intentional). However, the password change did not invalidate previous cookies. As such the person was able to access their email. Fortunately they didn't do anything malicious, they just sent out a farewell email.
I've set the parameter to log users out when they close a tab, but this still is concerning.
Anyways, just a PSA on this one. Stay safe!
Post Reply