The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Horde with cPanel session security tokens

Discussion in 'E-mail Discussions' started by EneTar, Dec 12, 2016.

  1. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    It took us several months to conclude in this and it happens under very certain circumstances.

    Code:
    # grep token /var/cpanel/cpanel.config
    xsrftokens=1
    and in file
    Code:
    /usr/local/cpanel/base/horde/imp/config/mime_drivers.local.php
    
    $mime_drivers['html']['inline'] = true;
    to display by default html messages.

    We noticed that behavior when some of our contacts have inline html images and when trying to view, reply or forward those emails using Horde.

    What happens is that the token being used in the image request does not match the token used in the webmail session that the email is viewed in, so it kills the session. This can be shown in the login and session logs.
    Code:
    /usr/local/cpanel/logs/session_log
    .....tokendenied [Too many token failures (3/3)].....
    
    /usr/local/cpanel/logs/login_log
    multiple errors of ...DEFERRED LOGIN webmaild: security token incorrect...
    
    
    If you wish I can provide a more detailed log. please give me an email address to send this.
    This token denied error happens each time the session dies in Horde. When I view source on the email that this occurs on, I see the incorrect token requested in one of the images.

    As long as security tokens are enabled on the server, the Horde session will continue to be disconnected when a request to a resource is made that uses an invalid token for the active session. This is why it happens when viewing some emails but not others.

    System Information
    Code:
    [~]# /usr/local/cpanel/cpanel -V
    60.0 (build 26)
    [~]# grep '' /etc/redhat-release /usr/local/cpanel/version /                                                                                        var/cpanel/envtype ; grep CPANEL= /etc/cpupdate.conf ; httpd -v ; php -v ; mysql                                                                                         -V
    /etc/redhat-release:CentOS release 6.8 (Final)
    /usr/local/cpanel/version:11.60.0.26
    /var/cpanel/envtype:kvm
    CPANEL=release
    Server version: Apache/2.4.23 (cPanel)
    Server built:   Nov  8 2016 16:57:01
    ea-php-cli Copyright 2016 cPanel, Inc.
    PHP 7.0.13 (cli) (built: Nov 14 2016 15:24:28) ( NTS )
    Copyright (c) 1997-2016 The PHP Group
    Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
        with Zend OPcache v7.0.13, Copyright (c) 1999-2016, by Zend Technologies
    mysql  Ver 15.1 Distrib 10.1.19-MariaDB, for Linux (x86_64) using readline 5.1
    
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,617
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You should instead, open a ticket directly to cPanel Technical Support about this if you suspect a defect.
     
  3. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Thanks I will. just wanted to mention it here in case someone else experiences this and has a solution other than disabling html messages in Horde or disabling security tokens in cPanel.

    Just did: Support request ID: 8053809
     
    #3 EneTar, Dec 12, 2016
    Last edited: Dec 12, 2016
    Infopro likes this.
Loading...

Share This Page