PHP: Automating email account creation with new host who requires session tokens

JAB Creations

Active Member
Nov 21, 2009
28
2
53
I've switched hosts and the new host is much faster. The problem is that for some genius reason they've required the use of session tokens in the URL!

It is still possible to use PHP's file_get_contents() function to call a page but their version of cPanel doesn't understand the link format unless a session already exists.

This works...but only if a session already exists...
https: //user:pass&@wwwssr3.supercp.com:2083/cpsess2821474840/frontend/x3/mail /doaddpop.html?email=thatguy&domain=example.com&password=fakepassword&quota=0
Is there a way for me (I'm using a reseller account) to disable the use of session tokens in the URL?

If not how can I have PHP request the page, log in and then note the session token so I can then make the request?
 

JAB Creations

Active Member
Nov 21, 2009
28
2
53
PHP file_get_contents URL email account creation no longer works with new host

My new host is fast which is great but for some dumb reason they require session tokens in the URL!

First off is there any way (with a reseller account) to disable the session tokens from being used in the URL?

On the new host when I use file_get_contents in PHP it always returns an empty string. Going to the correct URL does not work at all (with all the settings being correct) if a session has not been initiated. This negates my ability to have the server create the email account for clients. I do not want to have to manually log in, create an email account and know everyone's password every single time someone sets up an account.

This format works but only the session/it's token have already been established...

https: //user:pass&@wwwssr3.supercp.com:2083/cpsess2821474840/frontend/x3/mail/doaddpop.html?email=thatguy&domain=example.com&password=fakepassword&quota=0
Do I need to use something like cURL to detect the page, submit the form and then return the session token or is there a less retarded way to achieve this? I'm not interested in third party stuff. I have seen some weird XML-like code elsewhere though not sure if/how it's even applicable. I've spent some time in the documentation and most of it is for people who are lucky they even got in to cPanel to begin with.

I also posted a thread earlier on the forums and it seems to have been deleted! Not sure what that is about.
 

JaredR.

Well-Known Member
Feb 25, 2010
1,834
23
143
Houston, TX
cPanel Access Level
Root Administrator
Re: PHP file_get_contents URL email account creation no longer works with new host

I also posted a thread earlier on the forums and it seems to have been deleted! Not sure what that is about.
It was not deleted. It was moderated for manual approval, since it was one of your first posts and it contained a URL. Please do not make multiple posts on the same subject. I have approved both posts and merged them into a single thread in the cPanel Developers section.

Session tokens have been required since cPanel 11.38, with no way to disable them. Even the root user cannot disable them, so a reseller is not going to be able to. This is not a result of your hosting provider's policy (if they are running cPanel 11.38 or 11.40), but of a change that was made in cPanel in order to enhance security.
 

JAB Creations

Active Member
Nov 21, 2009
28
2
53
The documentation here is wrong...
Authentication Function Call Methods

...and the fact that such a major change would be implemented in such a minor version number (11.27-->11.28?) leaves me baffled; that completely negates the point of having documentation!

Another attempt that I'm making with PHP/cURL that is not working...

PHP:
<?php
$cp_user = 'user';
$cp_pwd = 'pass';

$query = 'https://wwwssr3.supercp.com:2083/';

$curl = curl_init();
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST,0);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER,0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER,1);//# Return contents of transfer on curl_exec
//$header[0] = "Authorization: WHM $whmusername:" . preg_replace("'(\r|\n)'","",$whmhash);//# Remove newlines from the hash
curl_setopt($curl,CURLOPT_HTTPHEADER,$header);//# Set curl header
curl_setopt($curl,CURLOPT_POSTFIELDS,"user=$cp_user&pass=$cp_pwd");
curl_setopt($curl, CURLOPT_URL, $query);//# Set your URL
$result = curl_exec($curl);
# Execute Query, assign to $result

if ($result == false) {
    error_log("curl_exec threw error \"" . curl_error($curl) . "\" for $query");
}
curl_close($curl);

echo $result;
?>
So I'm stuck without knowing if cURL is making a $_POST request (or dumbing out and making a $_GET request) and what echos back looks like a $_GET request. So I'm stuck without any way to detect the [bi]cpsess[/b] security token. Oh, and this is only destroying all the productivity of my day.
 

KostonConsulting

Well-Known Member
Verifed Vendor
Jun 17, 2010
255
1
68
San Francisco, CA
cPanel Access Level
Root Administrator
I would not recommend POSTing to cPanel pages directly. If cPanel decides to change the page, your script will break. Instead, use their PHP library (https://github.com/CpanelInc/xmlapi-php) and their JSON API for API2 (Email Module Documentation) to create the email account:

Code:
<?php

include '../xmlapi.php';

$ip = getenv('REMOTE_HOST'); //IP of cPanel/WHM server
$root_pass = getenv('REMOTE_PASSWORD'); //you can use root pass or another example below with cPanel user pass

$account = $cpanel_user; //cpanel username

$xmlapi = new xmlapi($ip);
$xmlapi->password_auth("root",$root_pass);
$xmlapi->set_output("json");

$xmlapi->set_debug(1);
print $xmlapi->api2_query($account, "Email", "addpop", array( 'domain' => $domain, 'email' => $email, 'password' => $pass, 'quota' => $quota );

?php>
or if you want to authenticate with the cPanel user's password:

Code:
<?php

include '../xmlapi.php';

$ip = getenv('REMOTE_HOST'); //IP of cPanel/WHM server
$user_pass = getenv('REMOTE_PASSWORD'); //cPanel user pass

$account = $cpanel_user; //cpanel username

$xmlapi = new xmlapi($ip);
$xmlapi->set_debug(1);
$xmlapi->set_port('2083'); //Changes to cPanel (must do for authing with user account)

$xmlapi->password_auth($account,$user_pass);
$xmlapi->set_output("json");

print $xmlapi->api2_query($account, "Email", "addpop", array( 'domain' => $domain, 'email' => $email, 'password' => $pass, 'quota' => $quota );

?php>