Security Token Tweak setting missing? [case 71137,case 71669, case 71933, case 73073]

[cPanelNick]

Re: Security Tokens in 11.38.0

I understand the security value for it, but it is a real inconvenience for me. I keep phpMyAdmin open all day, and after 20 or 30 minutes of inactivity, it requires me to re-enter my password.

That sounds like something else is going on here. cpsrvd allows sessions to last 24 hours by default so you shouldn't have to re-enter your password more then once per day at the most. Having to re-login after 20-30 minutes of inactivity is definitely not desirable behavior. Would you please open a ticket using the link in my signature so we can work with you to determine why you are having to re-login so frequently?

EDIT: By chance do you have http authentication enabled in Tweak Settings?

Thank you.

 

[cPanelNick]

I'd like to thank everyone who opened a ticket and provided us feedback (with example) on some of the usability issues they experienced with security tokens.

We have opened case 71137 to improve the usability of the system by providing the same token when you login a second time or are forced to login again to the same account within the same session. This should eliminate the annoyance caused by logging in multiple times and invalidating urls in the older windows/tabs.

We are currently targeting this functionality for 11.38.2.

 

[jols]

We had an issue two days ago, a red-line emergency where spam was being sent through a hosted email account at very high rate. There were multiple servers we needed to check during this emergency, and it was way beyond annoyance to keep getting the Invalid Token error page after leaving one of the WHM pages open for only a couple of minutes, e.g. while the spam was being cleared from the queues. Effectively this enabled the spammer to pass even more spam through the server (while we were clearing the queues) and before we could put an absolute halt to the broadcast.

No exaggeration. We were effectively being beaten back from resolving this incident as quickly as possible by cPanel's own token based security system.

 

[cPanelNick]

it was way beyond annoyance to keep getting the Invalid Token error page after leaving one of the WHM pages open for only a couple of minutes

Hi jols,

If you open a ticket using the link in my signature, we should be able to go though the access logs and determine why you were getting a token error. You shouldn't see this message unless you hit / or a url without a token with the same browser. If something else is going on here we definitely want to get a bug report in asap so we can resolve this.

Thanks

 

[Branik]

Security tokens are a miserable feature. It is a constant pain in the *** when using phpMyAdmin. If I open a new tab with phpMyAdmin, security token has to be updated. Can't go back to the previous tab and do anything then, or it will demand my password and lose the query I was trying to run.

Of course all this token nonsense gets me logged out of cPanel and when I go back to cPanel to do something else, I have to log in yet again.

I have always had them off because they ****. Now I am told I am not ALLOWED to turn them off even though they make my work more difficult and annoy the crap out of me. Really? Are you the one paying my server bills? Which includes $40 a month to use cPanel which I am now much less interested in paying. Absurd. I do not need nor want my server software playing my Nanny.

 

[cPanelNick]

If I open a new tab with phpMyAdmin, security token has to be updated. Can't go back to the previous tab and do anything then, or it will demand my password and lose the query I was trying to run.

Do you have http/basic authentication enabled in Tweak Settings?

 

[cPanelNick]

Case 71137 has been published in 11.38.1.6.

Implemented case 71137: Improve usability of security tokens.
CPanelVersion1138 < AllDocumentation/ChangeLog < TWiki

 

[cPanelNick]

To everyone who opened a ticket to report usability issues with security tokens: Thank you for taking the time to do so. Please submit a new ticket if 11.38.1.6 does not address the issues you reported.

Additionally, we have created case 71669 to address the saving the token after reloading the login page twice and specific compatibility issues that were reported with Safari.

 

[ThinIce]

If I can be permitted to waffle for a minute or two, I think this does illustrate why it's important to stick tickets when we see behaviour that looks wrong / the product doesn't work in the way you'd expect. Going on personal experience over the years with quite a few odd things it's tempting to just disable / ignore / put up with on a variant of the bystander effect (i.e. someone else must have experienced and reported this) but if you actually pop in a ticket and prove the bug, it gets assigned a case and get's resolved in the majority of cases.

The downside of course being this can take time

 

[chposter]

So goodbye to autologin features.
Or maybe there will be a method via the api with security tokens enabled?

 

[quietFinn]

So goodbye to autologin features.

What do you mean by "autologin features"?

 

[cPanelNick]

What do you mean by "autologin features"?

I think this is a reference to:
SecureRemoteLogins < AllDocumentation < TWiki

 

[quietFinn]

I think this is a reference to:
SecureRemoteLogins < AllDocumentation < TWiki

I see... thanks.

 

[cPanelNick]

Note: The LogMeIn.pm that comes with builds that support security tokens, supports security tokens. If you are using an older version (ie 11.22 etc) of LogMeIn.pm, you will need to update to a newer version to make it work with the tokens.

 

[mahinder]

Nick, We have designed our own monitoring system which have predefined inbuilt links to WHM scripts, which really makes it easy and fast for us to access regular WHM functions and manage cPanel servers.

example: https://hostname:2087/scripts2/listaccts link for list accounts.

Now with security tokens enabled every time we manage server from our monitoring system, we have to login again and again. We manage 50+ servers and its a huge problem for us, logging in again and again.

For example, today there was spamming incident and I have to login 5 times from monitoring system to check
1) Email Queue
2) List Accounts
3) Purge Email Queue
4) Check Apache Status
5) Login to WHM

I already have http authentication disabled but since link do not contain security token, it asked me to login every time.

Please bring back this feature or consider providing option to disable security tokens or suggest work around to access whm links directly without logging in every time. I understand, there is feature request option for it but I want to let you guys know about it here.

 

[cPanelNick]

suggest work around to access whm links directly without logging in every time.

The scenario you are describing is what security tokens are designed to protect against. We don't want a malicious user to take advantage of you being logged into WHM and provide you a link to their "broken" website that redirects you to https://server:2087/...../....../passwd?user=root&.... which resets your root password allowing them to gain root. This is not possible with security tokens since the url is not known to the malicious user.

You should be able to use SecureRemoteLogins < AllDocumentation < TWiki to generate a session and redirect into WHM with the token in place.

 

[higherlogic]

We don't want a malicious user to take advantage of you being logged into WHM and provide you a link to their "broken" website that redirects you to https://server:2087/...../....../passwd?user=root&.... which resets your root password allowing them to gain root. This is not possible with security tokens since the url is not known to the malicious user.

To be honest, that's not for you to decide. Make security tokens optional, but on by default for new users to cPanel/WHM. You give users hundreds of options in WHM, this should be added back as an option.

Or (and this sounds more likely) is this mandatory not to protect us (otherwise there's a lot of security features you should enable and not given the option to turn off), but because there's a vulnerability that you can't easily fix (e.g. requires a lot more work and restructuring of parts or the entire cPanel architecture) without keeping security tokens in place (making them a band-aid at this point)? Not that you would confirm this, of course.

 

[jols]

Nick, We have designed our own monitoring system which have predefined inbuilt links to WHM scripts, which really makes it easy and fast for us to access regular WHM functions and manage cPanel servers.

example: https://hostname:2087/scripts2/listaccts link for list accounts.

Now with security tokens enabled every time we manage server from our monitoring system, we have to login again and again. We manage 50+ servers and its a huge problem for us, logging in again and again.

For example, today there was spamming incident and I have to login 5 times from monitoring system to check
1) Email Queue
2) List Accounts
3) Purge Email Queue
4) Check Apache Status
5) Login to WHM

I already have http authentication disabled but since link do not contain security token, it asked me to login every time.

Please bring back this feature or consider providing option to disable security tokens or suggest work around to access whm links directly without logging in every time. I understand, there is feature request option for it but I want to let you guys know about it here.

We have had this EXACT same thing occur on three separate occasions so far. The additional delay caused by having to repeatedly log in again, has caused, at this point, hundreds of additional spams being broadcasted from our servers, whereas before we were able to much more effectively nip-the-issue-in-the-bud when such an issue arises.

 

[cPanelNick]

If you have opened a ticket on security tokens, and it has not resulted in a solution or case, please do post the number here.

We have generated case 73073 for additional compatibility improvements based on the latest ticket that was opened concerning security tokens. If you were the person who opened the ticket: thank you for the contribution and example.

 

[Mango45]

Re: Security Tokens in 11.38.0

cpsrvd allows sessions to last 24 hours by default

A good compromise to this issue may be having a configurable session length. If a session could last perhaps a week and could remain active even after browser restart, then we could bookmark URLs with the session ID. That should satisfy those of us who need quick access to things, and still prevent attacks (because the attacker would still not know the session ID, even if it were old).

I certainly appreciate the argument for security, but I have to agree with the others that it is kind of lame that cPanel removed this option without providing an alternative for those of us who had a specific reason for turning it off.

Ticket in question is 4302785.