Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Turned off cPanel sessions now sometimes can't switch to cPanel from WHM?

Discussion in 'Security' started by Ishware, Feb 8, 2018.

  1. Ishware

    Ishware Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    193
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Panama City, FL
    cPanel Access Level:
    Root Administrator
    I assume there's some cache of sessions or something somewhere.

    For some sites, when I click to switch to cPanel from WHM, I get prompted that my cpsession isn't valid - but I just turned that off. For some sites it works, others it doesn't.

    I can confirm I successfully turned it off because it no longer appears in the URL and I'm able to load my favorite WHM URLs now from bookmarks - which is why I turned it off in the first place.

    So it must be storing these sessions somewhere that I need to remove.
     
  2. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    Hi,

    Could you be more specific? Exactly which feature/setting did you disable?

    Thanks,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Ishware

    Ishware Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    193
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Panama City, FL
    cPanel Access Level:
    Root Administrator
    Apologies, assumed you'd magically read my mind and know every little thing offhand. lol. Serious on the apology.

    I set disable-security-tokens=1 in /car/cpanel/cpanel.conf (and then ran the script per the suggestion at the top of that file).

    And actually, I haven't run into the error for a while, but one of my reseller clients consistently can't transfer. She's prompted that her token is invalid and she needs to login, which doesn't work. She can log in to cPanel by using the subdomain, i.e. cpanel.example.com.
     
  4. Ishware

    Ishware Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    193
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Panama City, FL
    cPanel Access Level:
    Root Administrator
    Screenshot: 2018-02-10 00_39_17-cPanel Login.png
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,161
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Why are you disabling security tokens?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Ishware

    Ishware Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    193
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Panama City, FL
    cPanel Access Level:
    Root Administrator
    Before they existed, I don't believe anyone ever got into my cPanel or WHM that shouldn't've¹. I believe I'm otherwise sufficiently protected.

    And the downside is that I can't use bookmarks to get to frequently used pages, because the bookmark would never have a valid session in the URL. And in cases where I forget I have WHM or cPanel open in another tab and try to open a new one, the old tab is now logged out.

    I realize security is important, but in my humble opinion, it's so so much easier to turn it off and I don't think the benefit is sufficient.

    Maybe if I could somehow programmatically figure out the current session and create a little web app to open my common links instead of using bookmarks, that would be awesome. I believe I can sufficiently secure such a page. I'm not any god's gift to programming, but when I've written my little web apps, I've read a lot of tutorials on security and I think I'm doing a good job of securing that.....

    So I mean, I'm open to better ideas, but at the moment my humble opinion is that the increased security of the sessions is totally not worth the many times it's interfered with what I'm doing.

    I guess if I had an easy way of replicating the cPanel transfer button (listing all accounts in WHM), only 1) allowing for direct links to cPanel pages, and 2) some page that would allow me to set up "transfer" links into WHM... I could live with that, but I'm not sure where to start.

    Either way, I hope my rambling isn't annoying, and I appreciate any ideas or attempts to convince me to turn it back on.

    ______________
    ¹ I don't remember the precise year I started hosting with cPanel, but I've been hosting websites since 1996. Doesn't mean I'm an expert, just that I don't believe I've had any cPanel or WHM unauthorized accesses in all that time. Other problems, yet - out of date WordPress and PHP scripts, so I've learned to keep those up to date. heh
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,161
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm probably over shooting the runway, but it seems to me you might be using cPanel different than I do and that's where my confusion is coming in here.

    If you're the only one using cPanel, that's fine, I guess. If you're hosting other users though, security becomes essential.

    I assume here you mean by common links you mean different accounts? You do know you can login to your cPanel account and from there, login to other cPanel accounts owned by you via a simple build in menu, correct? There's no need to login to WHM and then go to accounts listing and get to your acccounts from there.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Ishware

    Ishware Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    193
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Panama City, FL
    cPanel Access Level:
    Root Administrator
    After some further thought, I've re-enabled the tokens. But it still annoys me that I can't make bookmarks to certain pages without triggering the invalid token page, and in my experience, entering in the password on that page quite often doesn't work. Meh.

    But security is probably better than my annoyance.

    And let me clarify that I'm just venting a little. I love my cPanel, and depend on it. :)
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice