The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Token Tweak setting missing? [case 71137,case 71669, case 71933, case 73073]

Discussion in 'Security' started by GIANT_CRAB, Mar 9, 2013.

  1. GIANT_CRAB

    GIANT_CRAB Well-Known Member

    Joined:
    Mar 23, 2012
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hey everyone,

    I'm having an issue at the moment.

    I want to enable security token setting in cPanel but I couldn't find it under Tweak Settings > Security.

    cPanel - WHM 11.36.0 (build 11).

    I have some other cPanel servers as well and I can't find the security token setting as well.

    I did some search before and could only find irrelevant questions/answers.
    Any reasons why?

    Thanks :)
     
    #1 GIANT_CRAB, Mar 9, 2013
    Last edited: Mar 9, 2013
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. GIANT_CRAB

    GIANT_CRAB Well-Known Member

    Joined:
    Mar 23, 2012
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thanks for the reply! :)

    I assume the "cpsess2342367245371" is the security token.
    If its enabled by default, why isn't there any "cpsess2342367245371" in the url?

    All of my cPanel servers that had security tokens enabled initially have that code.
    This particular cPanel server I had; I disabled security tokens by mistake when the update showcase thingy popped up, so now there's no way of enabling it?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Check this file:
    /var/cpanel/cpanel.config

    For this:
    xsrftokens=0

    If you find that, change it to this:
    xsrftokens=1

    See if that helps. :)
     
  5. GIANT_CRAB

    GIANT_CRAB Well-Known Member

    Joined:
    Mar 23, 2012
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    That worked, thanks a lot! :)
     
  6. bbf

    bbf Member

    Joined:
    Feb 21, 2008
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    They're on by default, but how do we disable them? The on/off toggle is not in Tweak Settings > Security anymore.
     
  7. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    Didn't you see the post #4 in this thread?
     
  8. GIANT_CRAB

    GIANT_CRAB Well-Known Member

    Joined:
    Mar 23, 2012
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,

    I think you missed out this post:

     
  9. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Please be advised that in cPanel & WHM 11.38 it will not be possible to enable or disable security tokens. They will always be enabled.
     
  10. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Thanks for a straight answer, can we request to have this back?
     
  11. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    If you could satisfy my curiosity I would much appreciate it: what is the value in being able to configure whether this basic security functionality is enabled or not?

    To request a change, please file a feature request at https://features.cpanel.net
     
  12. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Thanks for the link as well.

    Because it's more streamlined and better for security not needing to access the SSH for something that could easily be changed via WHM.
     
  13. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You're welcome.

    I think my question was poorly worded. Why do you need to disable security tokens?
     
  14. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Oh lol.

    It just causes too many issues with customers, our techs, and me to be able to log in when it's important to be able to do so. I also don't think it helps the overall security. I do think security should be the #1 priority with cpanel I just think this one causes too many errors at this point. There has been times out of town when I had an emergency and I was locked out from this. I also get about 5-10 customer issues a week from it.
     
  15. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Locked out by security tokens?
     
  16. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Security Tokens are the addition of a unique ID to the URL when using cPanel & WHM. It usually is in the form of cpsessXXXXXXXXXXX where the Xs are numbers. Once logged in, you are only asked to reauthenticate if that ID disappears from the URL. Usual causes for the ID disappearing are custom themes and applications that are not updated to use security tokens. Security Tokens prevent XSS and XSRF attacks.

    We also have a feature called Source IP Check. That feature tracks the IP addresses you use to connect with. Every time you connect from a different IP address, you are challenged to answer several questions.

    The behavior you describe sounds more like source IP check, to me, rather than security tokens.
     
  17. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Yes, it will not let people log in sometimes.
     
  18. sina6002

    sina6002 Member

    Joined:
    Apr 1, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    ----------
     
    #18 sina6002, May 8, 2013
    Last edited: May 8, 2013
  19. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    When this happens, could you open a support ticket with us please? This should not be happening.
     
  20. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    The issue I am encountering with 11.38 over 11.36 is with it forced I receive

    Internal Server Error
    500
    No response from subprocess

    from a plugin script. This only occurs on servers we have 11.38 on. Ever server that has 11.36 it works fine.

    I don't forsee this plugin being updated any time soon. Is there a way around this for the plugin script?
     
Loading...

Share This Page