Security Token Tweak setting missing? [case 71137,case 71669, case 71933, case 73073]

GIANT_CRAB

Well-Known Member
Mar 23, 2012
89
0
56
cPanel Access Level
Root Administrator
Hey everyone,

I'm having an issue at the moment.

I want to enable security token setting in cPanel but I couldn't find it under Tweak Settings > Security.

cPanel - WHM 11.36.0 (build 11).

I have some other cPanel servers as well and I can't find the security token setting as well.

I did some search before and could only find irrelevant questions/answers.
Any reasons why?

Thanks :)
 
Last edited:

GIANT_CRAB

Well-Known Member
Mar 23, 2012
89
0
56
cPanel Access Level
Root Administrator
Thanks for the reply! :)

I assume the "cpsess2342367245371" is the security token.
If its enabled by default, why isn't there any "cpsess2342367245371" in the url?

All of my cPanel servers that had security tokens enabled initially have that code.
This particular cPanel server I had; I disabled security tokens by mistake when the update showcase thingy popped up, so now there's no way of enabling it?
 

bbf

Member
Feb 21, 2008
9
0
51
They're on by default, but how do we disable them? The on/off toggle is not in Tweak Settings > Security anymore.
 

quietFinn

Well-Known Member
Feb 4, 2006
2,041
551
493
Finland
cPanel Access Level
Root Administrator
They're on by default, but how do we disable them? The on/off toggle is not in Tweak Settings > Security anymore.
Didn't you see the post #4 in this thread?
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
80
458
cPanel Access Level
Root Administrator
Please be advised that in cPanel & WHM 11.38 it will not be possible to enable or disable security tokens. They will always be enabled.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
80
458
cPanel Access Level
Root Administrator
Thanks for a straight answer, can we request to have this back?
If you could satisfy my curiosity I would much appreciate it: what is the value in being able to configure whether this basic security functionality is enabled or not?

To request a change, please file a feature request at https://features.cpanel.net
 

WebHostPro

Well-Known Member
PartnerNOC
Jul 28, 2002
1,727
28
328
LA, Costa RIca
cPanel Access Level
Root Administrator
Twitter
If you could satisfy my curiosity I would much appreciate it: what is the value in being able to configure whether this basic security functionality is enabled or not?

To request a change, please file a feature request at https://features.cpanel.net
Thanks for the link as well.

Because it's more streamlined and better for security not needing to access the SSH for something that could easily be changed via WHM.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
80
458
cPanel Access Level
Root Administrator
Thanks for the link as well.

Because it's more streamlined and better for security not needing to access the SSH for something that could easily be changed via WHM.
You're welcome.

I think my question was poorly worded. Why do you need to disable security tokens?
 

WebHostPro

Well-Known Member
PartnerNOC
Jul 28, 2002
1,727
28
328
LA, Costa RIca
cPanel Access Level
Root Administrator
Twitter
Oh lol.

It just causes too many issues with customers, our techs, and me to be able to log in when it's important to be able to do so. I also don't think it helps the overall security. I do think security should be the #1 priority with cpanel I just think this one causes too many errors at this point. There has been times out of town when I had an emergency and I was locked out from this. I also get about 5-10 customer issues a week from it.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
80
458
cPanel Access Level
Root Administrator
Oh lol.

It just causes too many issues with customers, our techs, and me to be able to log in when it's important to be able to do so. I also don't think it helps the overall security. I do think security should be the #1 priority with cpanel I just think this one causes too many errors at this point. There has been times out of town when I had an emergency and I was locked out from this. I also get about 5-10 customer issues a week from it.
Security Tokens are the addition of a unique ID to the URL when using cPanel & WHM. It usually is in the form of cpsessXXXXXXXXXXX where the Xs are numbers. Once logged in, you are only asked to reauthenticate if that ID disappears from the URL. Usual causes for the ID disappearing are custom themes and applications that are not updated to use security tokens. Security Tokens prevent XSS and XSRF attacks.

We also have a feature called Source IP Check. That feature tracks the IP addresses you use to connect with. Every time you connect from a different IP address, you are challenged to answer several questions.

The behavior you describe sounds more like source IP check, to me, rather than security tokens.
 

Solokron

Well-Known Member
Aug 8, 2003
852
2
168
Seattle
cPanel Access Level
DataCenter Provider
The issue I am encountering with 11.38 over 11.36 is with it forced I receive

Internal Server Error
500
No response from subprocess

from a plugin script. This only occurs on servers we have 11.38 on. Ever server that has 11.36 it works fine.

I don't forsee this plugin being updated any time soon. Is there a way around this for the plugin script?