Security Token Tweak setting missing? [case 71137,case 71669, case 71933, case 73073]

[GIANT_CRAB]

Hey everyone,

I'm having an issue at the moment.

I want to enable security token setting in cPanel but I couldn't find it under Tweak Settings > Security.

cPanel - WHM 11.36.0 (build 11).

I have some other cPanel servers as well and I can't find the security token setting as well.

I did some search before and could only find irrelevant questions/answers.
Any reasons why?

Thanks

 

[Infopro]

Tokens are enabled by default now.

11.35.0.4
2013-01-15
Fixed cases 62842,56191: Xsrftokens is enabled by default in etc/cpanel.config.

CPanelVersion1136 < AllDocumentation/ChangeLog < TWiki

 

[GIANT_CRAB]

Tokens are enabled by default now.

CPanelVersion1136 < AllDocumentation/ChangeLog < TWiki

Thanks for the reply!

I assume the "cpsess2342367245371" is the security token.
If its enabled by default, why isn't there any "cpsess2342367245371" in the url?

All of my cPanel servers that had security tokens enabled initially have that code.
This particular cPanel server I had; I disabled security tokens by mistake when the update showcase thingy popped up, so now there's no way of enabling it?

 

[Infopro]

Check this file:
/var/cpanel/cpanel.config

For this:
xsrftokens=0

If you find that, change it to this:
xsrftokens=1

See if that helps.

 

[GIANT_CRAB]

Check this file:
/var/cpanel/cpanel.config

For this:
xsrftokens=0

If you find that, change it to this:
xsrftokens=1

See if that helps.

That worked, thanks a lot!

 

[bbf]

They're on by default, but how do we disable them? The on/off toggle is not in Tweak Settings > Security anymore.

 

[quietFinn]

They're on by default, but how do we disable them? The on/off toggle is not in Tweak Settings > Security anymore.

Didn't you see the post #4 in this thread?

 

[GIANT_CRAB]

They're on by default, but how do we disable them? The on/off toggle is not in Tweak Settings > Security anymore.

Hello,

I think you missed out this post:

Check this file:
/var/cpanel/cpanel.config

For this:
xsrftokens=0

If you find that, change it to this:
xsrftokens=1

See if that helps.

 

[cPanelKenneth]

Please be advised that in cPanel & WHM 11.38 it will not be possible to enable or disable security tokens. They will always be enabled.

 

[WebHostPro]

Please be advised that in cPanel & WHM 11.38 it will not be possible to enable or disable security tokens. They will always be enabled.

Thanks for a straight answer, can we request to have this back?

 

[cPanelKenneth]

Thanks for a straight answer, can we request to have this back?

If you could satisfy my curiosity I would much appreciate it: what is the value in being able to configure whether this basic security functionality is enabled or not?

To request a change, please file a feature request at https://features.cpanel.net

 

[WebHostPro]

If you could satisfy my curiosity I would much appreciate it: what is the value in being able to configure whether this basic security functionality is enabled or not?

To request a change, please file a feature request at https://features.cpanel.net

Thanks for the link as well.

Because it's more streamlined and better for security not needing to access the SSH for something that could easily be changed via WHM.

 

[cPanelKenneth]

Thanks for the link as well.

Because it's more streamlined and better for security not needing to access the SSH for something that could easily be changed via WHM.

You're welcome.

I think my question was poorly worded. Why do you need to disable security tokens?

 

[WebHostPro]

Oh lol.

It just causes too many issues with customers, our techs, and me to be able to log in when it's important to be able to do so. I also don't think it helps the overall security. I do think security should be the #1 priority with cpanel I just think this one causes too many errors at this point. There has been times out of town when I had an emergency and I was locked out from this. I also get about 5-10 customer issues a week from it.

 

[Infopro]

Locked out by security tokens?

 

[cPanelKenneth]

Oh lol.

It just causes too many issues with customers, our techs, and me to be able to log in when it's important to be able to do so. I also don't think it helps the overall security. I do think security should be the #1 priority with cpanel I just think this one causes too many errors at this point. There has been times out of town when I had an emergency and I was locked out from this. I also get about 5-10 customer issues a week from it.

Security Tokens are the addition of a unique ID to the URL when using cPanel & WHM. It usually is in the form of cpsessXXXXXXXXXXX where the Xs are numbers. Once logged in, you are only asked to reauthenticate if that ID disappears from the URL. Usual causes for the ID disappearing are custom themes and applications that are not updated to use security tokens. Security Tokens prevent XSS and XSRF attacks.

We also have a feature called Source IP Check. That feature tracks the IP addresses you use to connect with. Every time you connect from a different IP address, you are challenged to answer several questions.

The behavior you describe sounds more like source IP check, to me, rather than security tokens.

 

[WebHostPro]

Locked out by security tokens?

Yes, it will not let people log in sometimes.

 

[sina6002]

----------

 

[cPanelKenneth]

Yes, it will not let people log in sometimes.

When this happens, could you open a support ticket with us please? This should not be happening.

 

[Solokron]

The issue I am encountering with 11.38 over 11.36 is with it forced I receive

Internal Server Error
500
No response from subprocess

from a plugin script. This only occurs on servers we have 11.38 on. Ever server that has 11.36 it works fine.

I don't forsee this plugin being updated any time soon. Is there a way around this for the plugin script?