Kill completely a running WHM browser session

sktest123

Well-Known Member
Jan 31, 2017
99
6
8
kochin
cPanel Access Level
Root Administrator
Hello ,

How to kill completely all running whm sessions via browser. For eg: say initially i logged into whm , then I changed the root password via the terminal/ssh . Now i want all existing whm login session to be killed . But If I reload the previous login session via browser it automatically loads again.
Even if we try killing process or restart cpanel/cpsrvd/whostmgrd services or kill (signals) process , we are still able to load the previous login session via browser (cookies help ) and still access every section (even we change root password).

So is there any method to kill a running/previous whm login sessions completely out of box or force them to use the new root password .
If am wrong please clarify?
 

Eminds

Well-Known Member
Nov 10, 2016
319
32
28
India
cPanel Access Level
Root Administrator
after resetting the root password for server and whm , go to

/var/cpanel/sessions/cache this is where the sessions are cached so I believe removing those sessions should do what you are looking for.
 

sktest123

Well-Known Member
Jan 31, 2017
99
6
8
kochin
cPanel Access Level
Root Administrator
no luck , just tried it , but wont resolve the issue , still able to access the browser session (removed the files like
root:xxxxxxx at /var/cpanel/sessions/cache :)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
no luck , just tried it , but wont resolve the issue , still able to access the browser session (removed the files like
root:xxxxxxx at /var/cpanel/sessions/cache :)
Hello,

You can find the active processes for WHM with a command such as:

Code:
ps aux|grep whostmgrd
Then, kill the individual processes using the "kill -9" command and restart cpsrvd via:

Code:
/scripts/restartsrv_cpsrvd
Thank you.
 

sktest123

Well-Known Member
Jan 31, 2017
99
6
8
kochin
cPanel Access Level
Root Administrator
Hello Michael,
please note that above suggestions wont have any effect at all. It doesn't have any effect in current whm active browser session forcefully to use the new root passwd . Already I have tried all those method .
Please verify it and if am missing some thing clarify.




The whmcs version is
11.62.0.10
 
Last edited:

sktest123

Well-Known Member
Jan 31, 2017
99
6
8
kochin
cPanel Access Level
Root Administrator
Hello Michael,

seems my "kill" term has created the confusion, let me clarify :
I have a current active login whm browser session
Then I changed the root password via command line using normal "passwd" or via /scripts/realchpass (either way)
Now I need all active browser sessions to forcefully use the new updated password when they try to visit any settings in whm or reload it.
Can this be possible by any method either by restarting or clearing session files or as by kill commands like wise.

"In the case if we change the password via whm , then use restart cpsrvd it will forcefully make the current session to use the new password. But if we change the root password via the command line it doesn't"
So any better method to do the same if we change the password from command line .
 
Last edited:

sktest123

Well-Known Member
Jan 31, 2017
99
6
8
kochin
cPanel Access Level
Root Administrator
Let cut down it all the way ,

Can I have below sort of functionality: After changing the root password via whm or command line,

"Sign out all other sessions button (via browsersessions or api sessions or apps or whmcs likewise ) just to ensure that your account isn't open at another location or force to use new password."

Incase of attacks this would be beneficial.
As I said if am wrong please clarify
 

Infopro

Well-Known Member
May 20, 2003
17,076
523
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
say initially i logged into whm , then I changed the root password via the terminal/ssh . Now i want all existing whm login session to be killed . But If I reload the previous login session via browser it automatically loads again.
Even if we try killing process or restart cpanel/cpsrvd/whostmgrd services or kill (signals) process , we are still able to load the previous login session via browser (cookies help ) and still access every section (even we change root password).
I've logged in to WebHost Manager and changed my password several times now to test this. Once I change it and I keep browser open, I can navigate to other areas of WebHost Manager, yes, but only for a moment or two. And then this message pops up for me:
 

Attachments

sktest123

Well-Known Member
Jan 31, 2017
99
6
8
kochin
cPanel Access Level
Root Administrator
Hello Support
As you mentioned after changing the root password even via whm "the navigation to other settings happens" instead of having an immediate session invalid/expired logout.
Server is aws ec2 amazon AMI
Version is 11.62.0.10
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello @sktest123,

Could you open a support ticket using the link in my signature so we can investigate this further? You can post the ticket number here and I'll update this thread with the outcome.

Thank you.
 

sktest123

Well-Known Member
Jan 31, 2017
99
6
8
kochin
cPanel Access Level
Root Administrator
Hello ,

It's a temporary amazon instance which I created via free tier . But as I said your "session authentication" has got a delay in reconnecting with the server after changing the root password (either via whm or ssh) . But the old httpauth as usual works better (via skiphttpauth) . To my knowledge as i mentioned above the below feature would be best after changing root password.

"Sign out all other sessions button (via browsersessions or api sessions or apps or whmcs likewise ) just to ensure that your account isn't open at another location or force to use new password."

If you think it's a good suggestion please add it as a feature request.
Thanks for your prompt reply and support.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
To my knowledge as i mentioned above the below feature would be best after changing root password.

"Sign out all other sessions button (via browsersessions or api sessions or apps or whmcs likewise ) just to ensure that your account isn't open at another location or force to use new password."

If you think it's a good suggestion please add it as a feature request.
I encourage you to open a feature request if you'd like to see such an option included in the future:

Submit A Feature Request

You can post the feature request URL here after it's approved so that others viewing this thread can vote and add feedback.

Thank you.