Cookie IP validation Per Reseller / CPanel ?

frenz

Member
Nov 4, 2014
10
0
1
cPanel Access Level
Reseller Owner
Dear Sir,
Is the Cookie IP validation a global setting ? Can it be set at Reseller Level or even Per CPanel ? Some Resellers do NOT want it enabled or maybe configurable per Reseller / CPanel account. Possible ? Thanks
 

24x7ss

Well-Known Member
Sep 30, 2014
272
17
68
India
cPanel Access Level
Root Administrator
Twitter
Hello :)

Yes, it is a global setting and you can disable it from Security settings but disabling it is not recommended as this limits the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces.
 

frenz

Member
Nov 4, 2014
10
0
1
cPanel Access Level
Reseller Owner
Hello :)

Yes, it is a global setting and you can disable it from Security settings but disabling it is not recommended as this limits the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces.
Dear Sir,
Not disabled but changed to Loose per Reseller / CPanel level as per request. Some users connect via mobile Internet and their IPs keep changing from time to time even during constant connection. Often, they were just kicked out suddenly 5 times within 10 minutes while working in the File Manager.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello :)

This is a global setting that is not configurable on a per-domain or per-reseller basis.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Per the description of this option:

Validate the IP addresses used in all cookie-based logins. This will limit the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces. For this setting to have maximum effectiveness, proxydomains should also be disabled. Strict validation requires the current IP address and the cookie IP address to exactly match. Loose validation only requires they are in the same /24.

Due to the nature of this option, it's not something that's username based. Thus, it can't be applied to individual accounts.

Thank you.