Horde with cPanel session security tokens

EneTar

Well-Known Member
Dec 19, 2015
156
12
68
Greece
cPanel Access Level
Root Administrator
It took us several months to conclude in this and it happens under very certain circumstances.

Code:
# grep token /var/cpanel/cpanel.config
xsrftokens=1
and in file
Code:
/usr/local/cpanel/base/horde/imp/config/mime_drivers.local.php

$mime_drivers['html']['inline'] = true;
to display by default html messages.

We noticed that behavior when some of our contacts have inline html images and when trying to view, reply or forward those emails using Horde.

What happens is that the token being used in the image request does not match the token used in the webmail session that the email is viewed in, so it kills the session. This can be shown in the login and session logs.
Code:
/usr/local/cpanel/logs/session_log
.....tokendenied [Too many token failures (3/3)].....

/usr/local/cpanel/logs/login_log
multiple errors of ...DEFERRED LOGIN webmaild: security token incorrect...
If you wish I can provide a more detailed log. please give me an email address to send this.
This token denied error happens each time the session dies in Horde. When I view source on the email that this occurs on, I see the incorrect token requested in one of the images.

As long as security tokens are enabled on the server, the Horde session will continue to be disconnected when a request to a resource is made that uses an invalid token for the active session. This is why it happens when viewing some emails but not others.

System Information
Code:
[~]# /usr/local/cpanel/cpanel -V
60.0 (build 26)
[~]# grep '' /etc/redhat-release /usr/local/cpanel/version /                                                                                        var/cpanel/envtype ; grep CPANEL= /etc/cpupdate.conf ; httpd -v ; php -v ; mysql                                                                                         -V
/etc/redhat-release:CentOS release 6.8 (Final)
/usr/local/cpanel/version:11.60.0.26
/var/cpanel/envtype:kvm
CPANEL=release
Server version: Apache/2.4.23 (cPanel)
Server built:   Nov  8 2016 16:57:01
ea-php-cli Copyright 2016 cPanel, Inc.
PHP 7.0.13 (cli) (built: Nov 14 2016 15:24:28) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.13, Copyright (c) 1999-2016, by Zend Technologies
mysql  Ver 15.1 Distrib 10.1.19-MariaDB, for Linux (x86_64) using readline 5.1
 
  • Like
Reactions: PbG

EneTar

Well-Known Member
Dec 19, 2015
156
12
68
Greece
cPanel Access Level
Root Administrator
Thanks I will. just wanted to mention it here in case someone else experiences this and has a solution other than disabling html messages in Horde or disabling security tokens in cPanel.

Just did: Support request ID: 8053809
 
Last edited:
  • Like
Reactions: Infopro