Automatically Logging Into cPanel

[cmichaelis]

Hi there,

As part of integrating cPanel with our offerings, I have a button that will log users into their cPanel control panel automatically. I found several forum postings here with people trying to do this, but most have been unsuccessful. I have it working for all but IE7 with a fairly simple approach.

Like many, I've tried logging in via CURL or via an fsock in PHP and passing the login session to the client before redirecting them. This doesn't work - it seems not to accept the cookie, perhaps due to some new security restrictions in browsers preventing my app's domain from setting a cookie for the cpanel server's domain.

This leads me to my second - simpler - approach, which works for all but IE7. The code simply sends a 302 redirect to the location "https://***:2083/login/?user=****&pass=***" in order to get them in. This works fine on all browsers except for IE7, which pops up a login window. It even works for IE8, strangely enough.

Has anyone had a similar experience or built in similar functionality? Incidentally, I'm aware of the security risk of adding the login to the URL, but no comparable alternative exists that I'm aware of. I tried using http://user:pass@domain.com/resource, but apparently Microsoft has stripped support for this URI scheme from all of their products despite being in the RFC. If there's a better (more secure) way, I'd be happy to hear it. I rather liked the "log in with curl and pass the cookie", so if there's a way to make that work, I'd be happy to revisit that solution.

I did a tcpdump of the conversation between my test box and the cPanel server; the anonymized conversation is summarized below. From it, I'm gathering that it seems to have logged in OK (as evidenced by the redirect to /frontend/... for the skin), but then something seems to go wrong when the browser then follows that redirect into the skin, and it gets a 401 and a login window. I also noticed here that the session cookie has changed between when it liked me and after I offended it.

Any ideas? The tcpdump conversation follows below. I'd be eternally grateful for any tips, ideas, or a working solution. :)

Thanks!
--Chris

Code:

ME:
GET /login/?user=****&pass=**** HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: ****.net:2082

SERVER:
HTTP/1.1 301 Moved
Server: cpsrvd/11.25
Content-length: 135
Location: /frontend/****/index.html?post_login=18673456655548
Set-Cookie: cpsession=****TZzGaTpaCHHrx3DTX6_memwYDfDZhLbLYEnWheIwZXvifuRieomHsa6SQZusuoug; path=/; httponly; port=2082
Set-Cookie: logintheme=; path=/; port=2082
Set-Cookie: langedit=; path=/; port=2082
Set-Cookie: lang=; path=/; port=2082
Set-Cookie: cprelogin=no; path=/; port=2082
Set-Cookie: roundcube_sessid=expired; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT; port=2082
Set-Cookie: Horde=expired; path=/horde; expires=Wednesday, 09-Nov-99 23:12:40 GMT; port=2082
Set-Cookie: imp_key=expired; path=/horde; expires=Wednesday, 09-Nov-99 23:12:40 GMT; domain=****.net; port=2082
Set-Cookie: key=expired; path=/3rdparty/squirrelmail/; expires=Wednesday, 09-Nov-99 23:12:40 GMT; domain=****.net; port=2082
Set-Cookie: SQMSESSID=expired; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT; domain=****.net; port=2082
Content-type: text/html

<html><head><META HTTP-EQUIV="refresh" CONTENT="0;URL=/frontend/****/index.html?post_login=18673456655548"></head><body></body></html>


ME:
GET /frontend/****/index.html?post_login=18673456655548 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: ****.net:2082

SERVER:
HTTP/1.1 401 Access Denied
WWW-Authenticate: Basic realm="cPanel"
Connection: close
Set-Cookie: logintheme=cpanel; path=/; port=2082
Set-Cookie: cprelogin=no; path=/; port=2082
Set-Cookie: cpsession=qjd6rmV8Q6ULxHnITFVTkcjKAPQtDoQYhefDOrYe5dnWUl2VJawR__oCN2HMNaSQ; path=/; port=2082
Server: cpsrvd/11.25
Content-type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon" href="/cPanel_magic_revision_1250892074/unprotected/cpanel/favicon.ico" type="image/x-icon" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>cPanel&reg; 11</title>
<link rel="stylesheet" href="/cPanel_magic_revision_1250892074/unprotected/cpanel/style.css" type="text/css" />
<!--[if IE]>
<style type="text/css">
#mid{
	height:300px;
}
</style>
<![endif]-->
</head>
<body>
<div id="wrap">
	<div id="top"></div>
	<div id="mid">
		<div id="content-wrap" align="center"> 

<form action="/login/" method="post">
    <input type="hidden" name="login_theme" value="cpanel" />
    <table width="200" class="login" cellpadding="0" cellspacing="0">
        <tr>
            <td align="left"><b>Login</b></td>
            <td>&nbsp;</td>
        </tr>
        <tr>
            <td>Username</td>
            <td><input id="user" type="text" name="user" size="16" tabindex="1" /></td>
        </tr>
        <tr class="row2">
            <td>Password</td>
            <td><input id="pass" type="password" name="pass" size="16" tabindex="2" /></td>
        </tr>
        <tr>
            <td colspan="2" style="text-align: center"><input type="submit" value="Login" class="input-button" tabindex="3" /></td>
        </tr>
    </table>
    <input type="hidden" name="goto_uri" value="/frontend/****/index.html?post_login=18673456655548" />
</form>

<script type="text/javascript">
/* Must not include external javascript -jnk 06.20.09 */
    var init = function() {
        document.getElementById("user").value = '';
        document.getElementById("pass").value = '';
        document.getElementById("user").focus();
    };
if( window.addEventListener ) {
    window.addEventListener('load',init,false);
} else if( document.addEventListener ) {
    document.addEventListener('load',init,false);
}
</script>
</div>
</div>
<div id="bot">
</div>
&copy; cPanel, Inc. 2009
</div>
</body>
</html>

[sanjaydagar123]

you can use the following code to create button

<input type="button" value="cPanel Login" onclick="window.location='/cpanelusername:cpanelpassword@yourdomainname.com:2082/frontend/x3/index.html'" />

here is:
cpanelusername - your cpanel username
cpanelpassword - your cpanel password
yourdomainname.com - your domain for which your created your account
x3 - theme of your cpanel

after click that button, you can login directly to cPanel without prompt username and password.

[MattCurry]

Thank you for the information.

Thank you,
Matthew curry

[dattas]

you can use the following code to create button

<input type="button" value="cPanel Login" onclick="window.location='/cpanelusername:cpanelpassword@yourdomainname.com:2082/frontend/x3/index.html'" />

here is:
cpanelusername - your cpanel username
cpanelpassword - your cpanel password
yourdomainname.com - your domain for which your created your account
x3 - theme of your cpanel

after click that button, you can login directly to cPanel without prompt username and password.

This does not work IE 7 and IE 8 no longer support the username:password@domain.com uri anymore. You get a "Windows cannot find [url here] please check your spelling and try again." In other browsers you get a prompt similar to this:

You are about to log in to the site "domain.com" with the username "username", but the website does not require authentication. This may be an attempt to trick you.

Is "domain.com" the site you want to visit?

which is also undesirable. I have been using google and these forms to try to find an automatic login but have been unsuccessful. Is there a setting in WHM I need to change? Basically I have my own control panel that my clients login to and when they click on the "login" button it shows an iframe that I want it to automatically login to, Like the user above my setup seems to work in everything except for IE 7.

[cmichaelis]

Hi sanjaydagar123 --

I am afraid that approach will not work. IE doesn't support using the http[s]://user:domain@domain.com[ort] URI scheme any longer - any attempt to use it pops up an error dialog immediately.

Thanks,
--Chris

[cPanelDavidG]

Here's a post you may find relevant:

http://forums.cpanel.net/f42/whm-rem...tml#post437949

[cmichaelis]

Hi David,

Thanks for the reply. I checked out the Perl module, and it does indeed use some of the same techniques I was using with my first attempt. I wrote a bit of code to make use of LogMeIn.pm, and it works great on all browsers - except IE7 again. So, back to square one there.

Interesting, if I take the login URL that I end up getting directed to (.../login/?session=foo) from the IE7 address bar after hitting Cancel on the pop-up authentication window, and paste it into FireFox, it comes right up and logs in seamlessly. So, it must be something specific to IE7.

What that is, I couldn't tell you... I'm getting close to putting up a custom login theme that says "If you got here, upgrade to IE8" or something to that effect. Anybody have any other ideas to look into, before I throw in the towel?

Thanks,
--Chris

Here's a post you may find relevant:

http://forums.cpanel.net/f42/whm-rem...tml#post437949

[bvierra]

Not sure why everyone is taking you in such a round about way...

https://host.name.com:2082/login/?login_theme=cpanel&goto_uri=/&login=1&user=$USER&pass=$PASS

and make sure that:
Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication.) This will help prevent certain types of XSRF attacks that rely on cached Http Auth credentials.

is checking in Tweak Settings