Eagle2012

Registered
Aug 26, 2012
4
0
1
cPanel Access Level
Root Administrator
I've never really turned these off before - how important are they for security?

Rather than the blanket On/Off WHM option - Is there a way in which they can be turned off just for webmail?
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
79
458
cPanel Access Level
Root Administrator
I've never really turned these off before - how important are they for security?

Rather than the blanket On/Off WHM option - Is there a way in which they can be turned off just for webmail?
Security Tokens are global. There is no means for turning them off for just webmail.

Are you encountering problems with Security Tokens? Would you be willing to share descriptions of these problems? I'd like to undertand the scenario you are facing so I can better guide you.
 

Eagle2012

Registered
Aug 26, 2012
4
0
1
cPanel Access Level
Root Administrator
Thanks for the reply Kenneth!

A clients site is basically a webmail service provider - we're making use of the cPanel API to control this and interface it with our front/back end - and Horde as the end-user client. We're using a custom logout which deletes ALL cookies set by the domain as a means of displaying our own 'logout' page. Issue being however that if they do not logout and revisit the site - after successfully logging in at our end... they are then taken to the cPanel webmail login... and then again the Horde login :( Don't mind the Horde login as much as it is thematically similar to our site and theme with our logo - but the cPanel Webmail login is really getting in the way and its being caused by the security token checks.

I guess I'm asking really is how much extra security do they provide? With them off login works fine even when a user fails to logout... with them on the above occurs.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
79
458
cPanel Access Level
Root Administrator
Security Tokens prevent XSRF and XSS attacks from succeeding. You can read more information here Basic Security Concepts

There may not be a good way around this issue, except for disabling security tokens, which we do not recommend.
 

Solokron

Well-Known Member
Aug 8, 2003
851
1
168
Seattle
cPanel Access Level
DataCenter Provider
Where can one disable these tokens?
 

Solokron

Well-Known Member
Aug 8, 2003
851
1
168
Seattle
cPanel Access Level
DataCenter Provider
They are no longer @ WHM: Main >> Server Configuration >> Tweak Settings >> Security
"Require security tokens for all interfaces. This will greatly improve the security of cPanel and WHM against XSRF attacks, but may break integration with other systems, login applications, billing software and third party themes."

as they were previously. Version 11.38.0