Operating System & Version
CentOS 7.9 virtuozzo
cPanel & WHM Version
v92.0.6

GoWilkes

Well-Known Member
Sep 26, 2006
611
24
168
cPanel Access Level
Root Administrator
Is there an up-to-date way of disabling security tokens? They're a huge annoyance for me; no one can access my server but me, anyway, but my home internet provider changes IPs constantly so I'm having to log back in to PMA every hour or 2!

On my old server, I added this to /var/cpanel/cpanel.config:

disable-security-tokens=1

That worked for a few hours, but then I started getting 401 errors.

I found another thread from 2013 where @Infopro said to change xsrftokens=0 to xsrftokens=1, but that parameter isn't in my config file so I don't know if I should just add it?
 
Last edited by a moderator:

GoWilkes

Well-Known Member
Sep 26, 2006
611
24
168
cPanel Access Level
Root Administrator
This seemed to stop working a few weeks ago, so I assume there's an update that changed things. Any new suggestions on how to disable security tokens?
 

GoWilkes

Well-Known Member
Sep 26, 2006
611
24
168
cPanel Access Level
Root Administrator
Do you mean from WHM's Tweak Settings, or from /var/cpanel/cpanel.config?

I haven't changed anything in Tweak Settings since I created this thread in December. It worked for awhile, but then a few weeks ago PMA started demanding that I log back in every few hours. It's a real pain, after I log in I have to go through, I think, 12 clicks to get back to where I was!

The only change I've ever made to cpanel.config is when I added xsrftokens. Here's the whole list, though:

Code:
RS=paper_lantern
VFILTERDIR=/etc/vfilters
access_log=/usr/local/cpanel/logs/access_log
account_login_access=owner_root
allow_deprecated_accesshash=0
allow_login_autocomplete=1
allow_server_info_status_from=
allowcpsslinstall=1
allowparkhostnamedomainsubdomains=0
allowparkonothers=0
allowremotedomains=0
allowresellershostnamedomainsubdomains=0
allowunregistereddomains=0
allowwhmparkonothers=0
alwaysredirecttossl=1
apache_port=0.0.0.0:80
apache_ssl_port=0.0.0.0:443
api_shell=0
autocreateaentries=1
autodiscover_host=cpanelemaildiscovery.cpanel.net
autodiscover_mail_service=imap
autodiscover_proxy_subdomains=0
autoupdate_certificate_on_hostname_mismatch=1
awstatsbrowserupdate=0
awstatsreversedns=0
bind_deferred_restart_time=2
blockcommondomains=1
bwcycle=2
cgihidepass=1
check_zone_owner=1
check_zone_syntax=1
chkservd_check_interval=300
chkservd_hang_allowed_intervals=2
chkservd_plaintext_notify=0
cluster_autodisable_threshold=10
cluster_failure_notifications=1
conserve_memory=0
cookieipvalidation=strict
coredump=0
cpaddons_adminemail=
cpaddons_autoupdate=1
cpaddons_max_moderation_req_all_mod=99
cpaddons_max_moderation_req_per_mod=99
cpaddons_moderation_request=0
cpaddons_no_3rd_party=0
cpaddons_no_modified_cpanel=1
cpaddons_notify_owner=1
cpaddons_notify_root=1
cpaddons_notify_users=Allow users to choose
cpanel_locale=
cpredirect=Origin Domain Name
cpredirectssl=SSL Certificate Name
cpsrvd-domainlookup=0
create_account_dkim=1
create_account_spf=1
csp=0
cycle_hours=24
database_prefix=1
debughooks=0
debugui=0
default_archive-logs=0
default_login_theme=cpanel
default_pkg_bwlimit=1048576
default_pkg_max_emailacct_quota=1024
default_pkg_quota=10240
default_remove-old-archived-logs=0
defaultmailaction=blackhole
disable-php-as-reseller-security=1
disable_cphttpd=0
disablequotacache=0
disk_usage_include_mailman=1
disk_usage_include_sqldbs=1
display_cpanel_doclinks=0
dns_recursive_query_pool_size=10
dnsadmin_log=0
dnsadmin_verbose_sync=0
dnsadminapp
dnslookuponconnect=0
docroot=/usr/local/cpanel/base
domainowner_mail_pass=0
dormant_services=cpdavd,cphulkd,cpsrvd,dnsadmin,spamd
dumplogs=1
email_account_quota_default_selected=unlimited
email_account_quota_userdefined_default_value=250
email_outbound_spam_detect_action=hold
email_outbound_spam_detect_enable=1
email_outbound_spam_detect_threshold=50
email_send_limits_count_mailman=0
email_send_limits_defer_cutoff=125
email_send_limits_max_defer_fail_percentage
email_send_limits_min_defer_fail_to_trigger_protection=5
emailarchive=0
emailpasswords=0
emailsperdaynotify
emailusers_diskusage_critical_contact_admin=1
emailusers_diskusage_critical_percent=90
emailusers_diskusage_full_contact_admin=1
emailusers_diskusage_full_percent=98
emailusers_diskusage_warn_contact_admin=0
emailusers_diskusage_warn_percent
emailusers_mailbox_critical_percent=90
emailusers_mailbox_full_percent=98
emailusers_mailbox_warn_percent=80
emailusersbandwidthexceed=0
emailusersbandwidthexceed70=0
emailusersbandwidthexceed75=0
emailusersbandwidthexceed80=0
emailusersbandwidthexceed85=0
emailusersbandwidthexceed90=0
emailusersbandwidthexceed95=0
emailusersbandwidthexceed97=0
emailusersbandwidthexceed98=0
emailusersbandwidthexceed99=0
empty_trash_days=disabled
enable_piped_logs=1
enablecompileroptimizations=0
enablefileprotect=1
enforce_user_account_limits=0
engine=cpanel
enginepl=cpanel.pl
engineroot=/usr/local/cpanel
exim-retrytime=180
exim_retention_days=1
eximmailtrap=1
extracpus=0
file_upload_max_bytes
file_upload_must_leave_bytes=5
file_usage=0
ftpquotacheck_expire_time=30
ftpserver=pure-ftpd
gzip_compression_level=6
gzip_pigz_block_size=4096
gzip_pigz_processes=2
horde_cache_empty_days=disabled
htaccess_check_recurse=2
httpd_deferred_restart_time=0
ignoredepreciated=0
invite_sub=1
ionice_bandwidth_processing=6
ionice_cpbackup=6
ionice_dovecot_maintenance=7
ionice_email_archive_maintenance=7
ionice_ftpquotacheck=6
ionice_log_processing=7
ionice_quotacheck=6
ionice_userbackup=7
ionice_userproc=6
ipv6_control=0
ipv6_listen=0
jailapache=0
jaildefaultshell=0
jailmountbinsuid=0
jailmountusrbinsuid=0
jailprocmode=mount_proc_jailed_fallback_full
keepftplogs=0
keeplogs=0
keepstatslog=0
loadthreshold
local_nameserver_type=powerdns
log_successful_logins=0
logchmod=0640
logout_redirect_url=
mailbox_storage_format=maildir
mailserver=dovecot
maintenance_rpm_version_check=1
maintenance_rpm_version_digest_check=1
maxcpsrvdconnections=200
maxemailsperhour=100
maxmem=4096
min_time_between_apache_graceful_restarts=10
minpwstrength=65
modsec_keep_hits=7
mycnf_auto_adjust_innodb_buffer_pool_size=0
mycnf_auto_adjust_maxallowedpacket=1
mycnf_auto_adjust_openfiles_limit=1
mysql-host=localhost
mysql-version=10.3
nobodyspam=0
nocpbackuplogs=0
nosendlangupdates=0
notify_expiring_certificates=1
numacctlist
overwritecustomproxysubdomains=0
overwritecustomsrvrecords=0
permit_appconfig_entries_without_acls=0
permit_appconfig_entries_without_features=0
permit_unregistered_apps_as_reseller=0
permit_unregistered_apps_as_root=0
php_max_execution_time=90
php_post_max_size=55
php_system_default_version=ea-php74
php_upload_max_filesize=50
phploader=
phpopenbasedirhome=0
pma_disableis=0
popbeforesmtp=0
popbeforesmtpsenders=0
product=cPanel
proxysubdomains=0
proxysubdomainsoverride=0
publichtmlsubsonly=1
query_apache_for_nobody_senders=1
referrerblanksafety=1
referrersafety=1
remotewhmtimeout=35
repquota_timeout=60
requiressl=1
resetpass=0
resetpass_sub=0
root=/usr/local/cpanel
rotatelogs_size_threshhold_in_megabytes=10
roundcube_db=sqlite
rpmup_allow_kernel=0
selfsigned_generation_for_bestavailable_ssl_install=1
send_error_reports=1
server_locale=en
show_reboot_banner=1
showwhmbwusageinmegs=0
signature_validation=Release Keyring Only
skip_chkservd_recovery_notify=0
skipanalog=1
skipapacheclientsoptimizer=0
skipawstats=1
skipboxcheck=1
skipboxtrapper=1
skipbwlimitcheck=1
skipchkservd=0
skipcpbandwd=0
skipdiskcheck=0
skipdiskusage=0
skipeximstats=0
skipfirewall=0
skiphorde=0
skiphttpauth=1
skipjailmanager=0
skipmailauthoptimizer=0
skipmailman=0
skipmodseclog=0
skipnotifyacctbackupfailure=0
skipoomcheck=0
skipparentcheck=0
skiprecentauthedmailiptracker=0
skiproundcube=0
skipspamassassin=0
skipspambox=1
skiptailwatchd=0
skipwebalizer=1
smtpmailgidonly=0
ssh_host_key_checking=0
ssl_default_key_type=rsa-2048
stats_log=/usr/local/cpanel/logs/stats_log
statsloglevel=1
statthreshhold=256
system_diskusage_critical_percent=98.5000
system_diskusage_warn_percent
tcp_check_failure_threshold=3
transfers_timeout=1800
tweak_unset_vars=enforce_user_account_limits,skipfirewall
upcp_log_retention_days=3
update_log_analysis_retention_length=90
use_apache_md5_for_htaccess=1
use_information_schema=1
useauthnameservers=0
usemailformailmanurl=0
usemysqloldpass=0
userdirprotect=0
verify_3rdparty_cpaddons=0
version=3.4
xframecpsrvd=1
xsrftokens=1
 

GoWilkes

Well-Known Member
Sep 26, 2006
611
24
168
cPanel Access Level
Root Administrator
To be clear, I set xsfrtokens=1 in December 2020. I haven't changed anything since then, but I do see that cpanel.config was last modified on May 25 @ 12:55am. So maybe there was an update then?

If it helps, WHM shows:

CENTOS 7.9 vzcontainer [server_name] v94.0.10

and cPanel shows 96.0.8
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,923
912
313
cPanel Access Level
Root Administrator
Since your machine started out on 94.0.10, I did the following:

-created a 94.0.9 machine and added the xsrftokens=1 value to /var/cpanel/cpanel.config.
-updated the server to 94.0.10 - no change on that value.
-updated to 96.0.8 - no change on that value.

With that testing I don't have any additional details on that, and I haven't seen other reports of tweak settings being modified. You're always welcome to submit a ticket to our team so we can check your specific environment if you'd like.
 

GoWilkes

Well-Known Member
Sep 26, 2006
611
24
168
cPanel Access Level
Root Administrator
I think maybe I'm not explaining it well...

The value isn't physically going away or anything, it's just not working. I use T-Mobile internet at home (which is infinitely faster than local DSL!), but the IP seems to change every few hours. So where I keep 3 tabs of PMA open at all times, at least a few times a day I'll try to access one of the tabs and be confronted with a Security Token error.

I then have to log back in, then reimport my PMA settings, then select the database, then select the table I was working on, and then paste the query back in. And I have to do that on all 3 tabs.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,923
912
313
cPanel Access Level
Root Administrator
I'm not able to reproduce an issue with the token value at this time, although I must admit I had to do some hackery to get a different IP address on my local system. The behavior you are experiencing would be caused by the cPanel sessions alone unrelated to the token value, as that access session is linked to an IP address.

I tested this by connecting to WHM from my local machine, then joining a VPN and refreshing the page. My connection was dropped with the "Your IP address has changed. Please log in again." error in the interface.