Security Token Tweak setting missing? [case 71137,case 71669, case 71933, case 73073]

Solokron

Well-Known Member
Aug 8, 2003
851
1
168
Seattle
cPanel Access Level
DataCenter Provider
Last edited:

konrath

Well-Known Member
May 3, 2005
366
0
166
Brasil
Often disconnected from WHM. Security Token

Hello

Often disconnected from WHM. Security Token

I'm going crazy. :eek::eek::eek::eek:

It is very difficult to work.:cool:

When I:

1) I make server to server migration
2) Setting up accounts.

and etc...

Is there a solution?

This virtually impossible to work.

Any suggestion ??? :confused::confused::confused::confused::confused:

Thank you!
Marcelo Konrath
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Re: Often disconnected from WHM. Security Token

Hello :)

Are you using browser bookmarks to access Web Host Manager, or do you encounter this problem when logging in by entering the URL in your browser's address bar? Do you have "HTTP Basic Authentication" enabled in "Tweak Settings"?

Thank you.
 

konrath

Well-Known Member
May 3, 2005
366
0
166
Brasil
Re: Often disconnected from WHM. Security Token

Hello cPanelMichael

entering using google chrome via IP in my browser's

HTTP Authentication is disable. I should enable?

I have frequent:

------------------------------

HTTP erro 401

Invalid security token

The requested URL does not contain your session’s correct security token.

You may have reached this error by copying and pasting a URL from a different cPanel, WHM, or Webmail session into your browser’s address bar. To resolve this situation, please take one of the following steps:

Go back one page and reload the URL, making sure that the /cpsess.../ section of the URL remains the same.
Re-enter your account’s password below. This will assign your session a new security token. This new token will prevent you from using other pages of this application that may be open in other tabs.
------------------------------



What should I do? It is very difficult to work.

Thank you
Marcelo Konrath
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Re: Often disconnected from WHM. Security Token

It's normal for "HTTP Authentication" to be disabled, as that is the default configuration. Please open a support ticket for this so we can check to see if it's a user-based issue, or a problem with our software.

Submit A Ticket

You can post the ticket number here so we can monitor the support request.

Thank you.
 

konrath

Well-Known Member
May 3, 2005
366
0
166
Brasil
Re: Often disconnected from WHM. Security Token

Hello cPanelMichael

I will first enable HTTP Authentication and work to test.... If problem continues, I will open a ticket.

I have this problem with all servers.

Thank you again per your response.

Marcelo Konrath
 

Hedloff

Well-Known Member
Jun 7, 2004
175
9
168
Up north!
cPanel Access Level
DataCenter Provider
Security tokens in 11.38

After upgrade to 11.38 customers are calling about security tokens on their links to Horde webmail for example.
Is there anyway we can disable security tokens for accounts/server somewhere?

I remembered I read that security tokens are not possible to disable?
 

Hedloff

Well-Known Member
Jun 7, 2004
175
9
168
Up north!
cPanel Access Level
DataCenter Provider
Re: Security tokens in 11.38

Yes, that was turned on somehow.
Would that cause this problem? If we disable this customers will not get security token problem?

Update:
-Looks like that worked. Thanks :)
 
Last edited:

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Re: Security tokens in 11.38

In my case http authentication is not enabled, and we get the security token page every time we touch any sort of management in WHM, it is a real problem for us.

Is there any way to switch this off?
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Security Tokens are the addition of a unique ID to the URL when using cPanel & WHM. It usually is in the form of cpsessXXXXXXXXXXX where the Xs are numbers. Once logged in, you are only asked to reauthenticate if that ID disappears from the URL. Usual causes for the ID disappearing are custom themes and applications that are not updated to use security tokens. Security Tokens prevent XSS and XSRF attacks.

We also have a feature called Source IP Check. That feature tracks the IP addresses you use to connect with. Every time you connect from a different IP address, you are challenged to answer several questions.

The behavior you describe sounds more like source IP check, to me, rather than security tokens.

I concur with others here, furthermore we use dual wan load balancer here between two different ISPs, so our IP address will change in mid-flight thus the Source IP Check will lock us out constantly.

And even without this (i.e. when we switch off the load balancer and just use a single modem), the invalid token page comes up several times even in the course of completing one simple task. It's as if the token times out in rapid fashion, e.g. within 30 seconds on occasion. This is vary quickly turning what should be an easy maintenance task, into a time consuming choir. And it's a little nerve racking to see that gray http 401 error page come up bazillions of times during the course of a single day.

With regard to promotions, if cPanel.net is looking for a way to generate a positive feeling amongst their users and managers for their software, then by removing this option to deselect security tokens, I think it is safe to say, they've gone in the opposite direction.

You (cPanel.net) should very definitely return the option for your customers to deselect this feature.

P.S. Regarding:
------------------------
Check this file:
/var/cpanel/cpanel.config

For this:
xsrftokens=0
------------------------

Switching this value from 0 to 1, then restarting cPanel with service cpanel restart, makes no difference, at least not for us.

Does anyone know of any other method to switch this feature off?
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Security tokens are always on and are no longer allowed to be disabled, as of version 11.38. If you continue to experience problems with this feature, please open a support ticket so we can take a closer look:

Submit A Ticket

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Re: Security tokens in 11.38

In my case http authentication is not enabled, and we get the security token page every time we touch any sort of management in WHM, it is a real problem for us.

Is there any way to switch this off?
Security tokens are always on and are no longer allowed to be disabled, as of version 11.38. If you continue to experience problems with this feature, please open a support ticket so we can take a closer look:

Submit A Ticket

Please post the ticket number here so we can update this thread with the outcome.

Thank you.
 

soundguy

Well-Known Member
PartnerNOC
Oct 29, 2003
52
0
156
seattle
Seriously, put the disable option back! Tokens are major pain. I didn't ask for them and I don't want to deal with them in situations where the exploits you keep saying they prevent are simply not relevant. YOU don't get to decide how I run my security. *I* do.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Re: Security tokens in 11.38

Hi,

I have problems, too. How to disable token security when login?

Regards,
Please see my previous response on this thread for an answer to this question.

Thank you.
 

GoWilkes

Well-Known Member
Sep 26, 2006
611
24
168
cPanel Access Level
Root Administrator
Security Tokens in 11.38.0

I wanted to express my dislike for the Security Tokens tweak no longer being optional in 11.38.0 (Build 17).

I understand the security value for it, but it is a real inconvenience for me. I keep phpMyAdmin open all day, and after 20 or 30 minutes of inactivity, it requires me to re-enter my password.

My password isn't anything I can remember (it's a strong password with symbols, upper- and -lower case letters, and numbers), so I have to go find it and then type it in manually. I find myself doing this on a constant basis.

Worse, if I have to keep the password written on a note on my desk, it's more of a security risk than having Security Tokens turned off!

For future releases, I would request that you reinstate the option for Security Tokens in the Tweaks. Changing the default to "On" would be fine, but it would be nice to have the option to turn it off.

If I'm wrong, and there is such an option, please forgive my ignorance!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Re: Security Tokens in 11.38.0

Hello :)

I have moved this thread over to the "Security" forum for discussion. While I understand your intention here is to express your dislike for the Security Tokens requirement, I did want to note that you may find a third-party application such as 1Password useful:

Agilebits.com - 1Password

Thank you.
 

mfragoso

Active Member
Oct 17, 2003
42
0
156
Mexico City
cPanel Access Level
Root Administrator
Seriously, put the disable option back! Tokens are major pain. I didn't ask for them and I don't want to deal with them in situations where the exploits you keep saying they prevent are simply not relevant. YOU don't get to decide how I run my security. *I* do.
I totally agree with you. It is cpanel obligation to give this option for security purposes, but it is also our option to use it or not, as in hundreds of other options cpanel has.