No announcement yet.

Important information for administrators of Open-Xchange Server 6 v6.18

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Important information for administrators of Open-Xchange Server 6 v6.18

    Please pay attention: New improvements for administrators of Open-Xchange Server 6 v6.18

    In this release, Open-Xchange introduces two main changes, which require to change configuration especially for those updating from an earlier version:

    New Apache settings

    An automated versioning of the JavaScript files has been implemented. With that enhancement it is no more necessary to clean the browsers cache after each Open-Xchange update, the browser will automatically recognize the new version and reload the necessary files.

    This requires changes to the apache configuration. Further information about the settings are documented at the Installation Guides for the different platforms:
    Debian 5.0:
    SLES 10:
    SLES 11:
    RHEL 5:

    Persistent Auto login / Enhanced Session handling

    Open-Xchange introduces a persistent auto-login mechanism, which allows the user to decide, if he wants (for security reasons) to enter his login and password every time when he opens Open-Xchange, or if he wants to automatically log into OX from his computer ("Remember Me" functionality) as long as the session is available on the server. If the user selects this option, the session information will be stored in two different cookies in the browser and will be valid for a configurable amount of days.

    Attention (User): The user must only use this feature if he is working with a secured workstation and not with a publicly accessible computer like an internet cafe.
    Attention (Administrator): A new option is introduced, which allows the administrator to activate the feature server-wide when he is sure, all his clients are secure enough to allow the users to use that feature. The auto-login feature is disabled by default and needs to be activated manually by the administrator. To enhance security, the auto-login mechanism is only available through secure, encrypted connections. The session lifetime needs to be configured to the wanted time (please note, that keeping sessions too long may waste your RAM).

    In Multi-Server environments, the JSESSIONID lifetime needs to be configured accordingly to ensure, that the loadbalancing mechanism works after closing the browser.
    Besides more comfort for the user, the cookie handling introduced with the persistent auto-login enhances security of OX. If single requests are hijacked or exchanged during transport to the client (Broken loadbalancer, webserver, ...) it will not be possible to hijack the users session.

    The mechanism of the OX session-handling is in detail described in this whitepaper:

    Please read the Release Notes for further information under
    Configuration Changes -
    Change #334 - Auto-Login and Lifetime of Session Cookies
    Change #347 - GUI Versioning to Remove the Need for clearing Browser Caches after each Update

    You will find the Release Notes here:
    Last edited by Carsten Hoeger; 09-08-2010, 11:50 AM. Reason: improved