Back to Community Threads
2
[BUG] External Password Change Still Allows User Access When "Remember Me" Set
Problem reported by Shaun Peet - 10/11/2018 at 9:04 AM
Resolved
Scenario:

USER logs into the webmail and checks the "remember me" option when logging in.
ADMIN later changes the users's password
USER can still return to the webmail and is auto-logged in since the "remember me" cookie allows them access

Possible Solution:

Add a "last password changed date" to the authentication cookie.  When a session starts, if the user is already authenticated, then check that the value of the last password change for the user's account matches the last password change date set in the cookie.  If not, force a re-login on that device.  Then, when a user changes their own password, also update the cookie they are using on that device at the time with the new value so that they don't have to re-login on the device they just used to change their password (but they will have to re-login on other devices, which makes sense).

5 Replies

Reply to Thread
0
Matt Petty Replied
10/11/2018 at 9:18 AM
Employee Post
Hello,

What version of SmarterMail are you using. I know 17 has that solution you mentioned and I'm pretty sure 16 does too. I'm not sure about 15, but if your 15 I can check.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Shaun Peet Replied
10/11/2018 at 10:48 AM
Hi Matt,

We're on v16 and this issue was reported to us from one of our customers.  I've yet to do extensive testing on SmarterMail since I realized this also exists in our own web app and I'm fixing it right now too :)

Shaun
0
Shaun Peet Replied
11/12/2018 at 1:27 PM
Hi Matt,

We need to escalate this as it is a confirmed issue with V16.  If there is an email account, say "treasurer@domainname.com" in the possession of Person A and that person uses the webmail with the "remember me" option checked, and then subsequently Person B takes over that email address (with the Administrator and/or Person B changing the password), Person A *can still access webmail* because of the "remember me" cookie on their computer / device.

We are about to lose a customer over this.  Please fix.

Shaun
1
Employee Replied
11/16/2018 at 5:21 AM
Employee Post Marked As Resolution
Shaun, in the latest release this issue has been resolved.
1
Shaun Peet Replied
11/16/2018 at 5:38 AM
Awesome, thanks.  We installed the latest release last night so hopefully we can confirm that it's all good.  I'll post back here if the issue persists.  Thanks again!

Edit:  Confirmation from customer that the fix works.  Thanks.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Reset Administrator Username and PasswordSmarterMail > Installation and Configuration
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Configure SmarterMail as a Free Gateway ServerSmarterMail > Server Configuration and Management
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management