The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Accounts will not log out... security hole?

Discussion in 'Security' started by krycek, Apr 20, 2003.

  1. krycek

    krycek Member

    Joined:
    Apr 18, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Since upgrading to Cpanel I am getting an odd problem.

    If I log into an account, say www.mydomain.com:2082, then I cannot log out.

    I mean, I can click the link, close the window, ANYTHING... but as soon as I return to that URL, I am still logged in.

    The same is currently happening with phpMyAdmin too (set to http auth) and so I am suspecting a misconfiguration of Apache sessions, but I'm not sure where to look or what for.

    Needless to say, this is causing some concern among my customers and I am eager to fix it.

    I apologise if someone has already posted about this, but I did a quick search and could find nothing similar.

    ::] krycek [::
     
  2. X-Istencedotcom

    X-Istencedotcom Well-Known Member

    Joined:
    Apr 14, 2003
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    This has to do with your browser, not the server side.

    Delete all cache and everything from your browser and you should be logged out, reason for this is that IE/Mozilla/Opera want to make it easy for a user.
     
  3. krycek

    krycek Member

    Joined:
    Apr 18, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I don't think it's the browser's fault.

    Take phpMyAdmin for instance - this did not use to happen before the upgrade.

    In any case, how do I cure it? I obviously want the logoff to actually work!

    ::] krycek [::
     
  4. X-Istencedotcom

    X-Istencedotcom Well-Known Member

    Joined:
    Apr 14, 2003
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    Im sorry, but i dont know. I dont really care and my customers dont either. So i am all happy.
     
  5. krycek

    krycek Member

    Joined:
    Apr 18, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    hmmm I don't like your tone.

    I didn't ask you personally to respond, and I don't see why you felt the need to do so if that is all you are going to say.

    Personally I don't care about you and your customers, but I care about mine, obviously, and I also care about security holes.

    If this problem is happening to other people, then it should be looked into. If you personally do not care about security then that's fine, but I do, and I would like a response from someone that is more helpful (for instance, Cpanel staff) rather than get told by you that you don't care (your point is...?)

    ::] krycek [::
     
  6. X-Istencedotcom

    X-Istencedotcom Well-Known Member

    Joined:
    Apr 14, 2003
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    My point is that its not as big as a security hole as you think. Only the same browser from the same PC can log back on.

    Second i was apologizing saying that i didnt know what the answer to your qeustion was thinking that you thought my first response good info.

    And last, cPanel staff WILL not reply to this, since they are NEVER on this forum. basically that means you can open a trouble ticket at http://support.cpanel.net/ or just wait till someone else but me comes along and helps you out which you think would help you better than me.

    X-Istence
     
  7. krycek

    krycek Member

    Joined:
    Apr 18, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    It IS as big as I think.

    And I have submitted a support request, by the way.

    Sorry if I misread your tone... but I think it was understandable.

    I must say I'm a bit shocked that Cpanel staff never read these forums. I hope their response on the support requests is good, then...

    After all, Cpanel is pretty expensive and as with anything, there should be good support. Fingers crossed... (I've seen some posts which hint they are not A-1 standard in this area!)

    ::] krycek [::
     
  8. X-Istencedotcom

    X-Istencedotcom Well-Known Member

    Joined:
    Apr 14, 2003
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    apology accepted. Good luck.
     
  9. X-Istencedotcom

    X-Istencedotcom Well-Known Member

    Joined:
    Apr 14, 2003
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    That what i said in my first post.
     
  10. krycek

    krycek Member

    Joined:
    Apr 18, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Very true.

    I'm still wondering why this happens, though. Surely sessions are in use, and they should end when you log out or close the browser...

    Also, like I said, this did not use to happen with phpMyAdmin prior to my upgrade to Cpanel.

    Hmmmmmm.

    ::] krycek [::
     
  11. Nico

    Nico Well-Known Member

    Joined:
    Dec 5, 2001
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Edmond, OK
    That has been happening for well over a year that I know of with Cpanel and it's not just with Cpanel. It happens with any site that you log in protected with the .htaccess feature as well. As long as multiple browsers are open they all have to be closed to perform a "true logout".
     
  12. krycek

    krycek Member

    Joined:
    Apr 18, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I investigated this and found that because Mozilla uses a 'quick start' app, even if you close all browser windows, you remain logged in...

    Once I closed the quick start app too, the 'problem' disappeared.

    I'm sorry X-istence, it looks as if you were right first time.

    Ironically, your answer was also the one that I gave a couple of days ago, but I then got convinced otherwise.

    Anyway, I'm pretty satisfied now that it IS the browser, and so I'll not worry about it any more :)

    Cheers for the help!

    ::] krycek [::
     
  13. krycek

    krycek Member

    Joined:
    Apr 18, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    OK, now I'm back to worrying.

    Browser or not, this is a Bad Thing. :(

    Why did this never happen with Ensim...?

    And, any way to change the Cpanel login method - to cookies for instance?

    ::] krycek [::
     
  14. X-Istencedotcom

    X-Istencedotcom Well-Known Member

    Joined:
    Apr 14, 2003
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    If cPanel used cookies it would be a WAY bigger security risk. This is because cookies are easier to fake than browser identification/computer hash which allows for the holding of the username and pass in cache.

    I suggest you advice people who see this behaviour to either disable caching in their browser or close all browser for a "complete" logout, and when IE/Mozilla ask em if they want to save the password to click NO.

    There is no way for cPanel to FORCE the browser to lose its password/login cache !
     
  15. macdabby

    macdabby Member

    Joined:
    Aug 5, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    update?

    I know this is an old post, but I have only recently run into this issue and it is a BIG problem!!

    2 reasons:

    1: I manage multiple accounts - If i log into cpanel and work on account A, I can't log out and work on account B! I have to log in through http://ip:2083 because of the way the server is configured, and since it's the same address, I can't switch users.

    2: Sometimes I need to log into an account from someone elses computer! I know this isn't always the "safest" way to log in, but sometimes it is necessary, and I don't want that computer to be permanently logged into my account, so the next person who uses it has access!

    how can i fix this? has anyone found a solution?
     
  16. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    With cPanel/WHM, there are 2 possible methods of authentication: Cookie Authentication and HTTP Authentication. By default, HTTP Authentication is used but the system administrator can go into Tweak Settings and switch the server to Cookie Authentication instead.

    Cookie Authentication is easier to forge, but will result in you being logged out as soon as you click the logout button and your logout is processed by the server and browser.

    HTTP Authentication is more difficult to forge, but browsers (not the server) will keep you logged in for the duration of your browser session. So when you click logout, cPanel will log you out. However, if you don't close your web browser and go back to the cPanel interface, the browser will recognize you already authenticated to this site and will automatically re-log you in. Hence, HTTP Authentication is preferred, but you must remember to close your browser window to logout and not automatically be logged back in.

    Keep in mind, the Password Protect Directories feature in cPanel also uses HTTP Authentication.

    When I manage multiple accounts simultaneously, I just go to thatAccountsDomain.com/cpanel and my browsers (Firefox, IE, Chrome, Safari, Camino) all seem to cope well with that.

    When I'm on a friend's computer, I logout, close the browser, re-open the browser to that URL to make certain they get a login prompt and ensure that I did not accidentally save my credentials to their browser.
     
  17. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
Loading...

Share This Page