[BUG] External Password Change Still Allows User Access When "Remember Me" Set
Problem reported by Shaun Peet - October 11 at 9:04 AM
Submitted
Scenario:

USER logs into the webmail and checks the "remember me" option when logging in.
ADMIN later changes the users's password
USER can still return to the webmail and is auto-logged in since the "remember me" cookie allows them access

Possible Solution:

Add a "last password changed date" to the authentication cookie.  When a session starts, if the user is already authenticated, then check that the value of the last password change for the user's account matches the last password change date set in the cookie.  If not, force a re-login on that device.  Then, when a user changes their own password, also update the cookie they are using on that device at the time with the new value so that they don't have to re-login on the device they just used to change their password (but they will have to re-login on other devices, which makes sense).

2 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post
Hello,

What version of SmarterMail are you using. I know 17 has that solution you mentioned and I'm pretty sure 16 does too. I'm not sure about 15, but if your 15 I can check.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Shaun Peet Replied
Hi Matt,

We're on v16 and this issue was reported to us from one of our customers.  I've yet to do extensive testing on SmarterMail since I realized this also exists in our own web app and I'm fixing it right now too :)

Shaun

Reply to Thread