The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Tokens

Discussion in 'Security' started by Eagle2012, Jan 4, 2013.

  1. Eagle2012

    Eagle2012 Registered

    Joined:
    Aug 26, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I've never really turned these off before - how important are they for security?

    Rather than the blanket On/Off WHM option - Is there a way in which they can be turned off just for webmail?
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Security Tokens are global. There is no means for turning them off for just webmail.

    Are you encountering problems with Security Tokens? Would you be willing to share descriptions of these problems? I'd like to undertand the scenario you are facing so I can better guide you.
     
  3. Eagle2012

    Eagle2012 Registered

    Joined:
    Aug 26, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for the reply Kenneth!

    A clients site is basically a webmail service provider - we're making use of the cPanel API to control this and interface it with our front/back end - and Horde as the end-user client. We're using a custom logout which deletes ALL cookies set by the domain as a means of displaying our own 'logout' page. Issue being however that if they do not logout and revisit the site - after successfully logging in at our end... they are then taken to the cPanel webmail login... and then again the Horde login :( Don't mind the Horde login as much as it is thematically similar to our site and theme with our logo - but the cPanel Webmail login is really getting in the way and its being caused by the security token checks.

    I guess I'm asking really is how much extra security do they provide? With them off login works fine even when a user fails to logout... with them on the above occurs.
     
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Security Tokens prevent XSRF and XSS attacks from succeeding. You can read more information here Basic Security Concepts

    There may not be a good way around this issue, except for disabling security tokens, which we do not recommend.
     
  5. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Where can one disable these tokens?
     
  6. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    They are no longer @ WHM: Main >> Server Configuration >> Tweak Settings >> Security
    "Require security tokens for all interfaces. This will greatly improve the security of cPanel and WHM against XSRF attacks, but may break integration with other systems, login applications, billing software and third party themes."

    as they were previously. Version 11.38.0
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That setting has been removed. This post might be useful here:
    Re: Security Token Tweak setting missing? - cPanel Forums

     
Loading...

Share This Page