Turned off cPanel sessions now sometimes can't switch to cPanel from WHM?

Ishware

Well-Known Member
Nov 7, 2003
203
6
168
Williamsburg, VA
cPanel Access Level
Root Administrator
I assume there's some cache of sessions or something somewhere.

For some sites, when I click to switch to cPanel from WHM, I get prompted that my cpsession isn't valid - but I just turned that off. For some sites it works, others it doesn't.

I can confirm I successfully turned it off because it no longer appears in the URL and I'm able to load my favorite WHM URLs now from bookmarks - which is why I turned it off in the first place.

So it must be storing these sessions somewhere that I need to remove.
 

Ishware

Well-Known Member
Nov 7, 2003
203
6
168
Williamsburg, VA
cPanel Access Level
Root Administrator
Apologies, assumed you'd magically read my mind and know every little thing offhand. lol. Serious on the apology.

I set disable-security-tokens=1 in /car/cpanel/cpanel.conf (and then ran the script per the suggestion at the top of that file).

And actually, I haven't run into the error for a while, but one of my reseller clients consistently can't transfer. She's prompted that her token is invalid and she needs to login, which doesn't work. She can log in to cPanel by using the subdomain, i.e. cpanel.example.com.
 

Ishware

Well-Known Member
Nov 7, 2003
203
6
168
Williamsburg, VA
cPanel Access Level
Root Administrator
Before they existed, I don't believe anyone ever got into my cPanel or WHM that shouldn't've¹. I believe I'm otherwise sufficiently protected.

And the downside is that I can't use bookmarks to get to frequently used pages, because the bookmark would never have a valid session in the URL. And in cases where I forget I have WHM or cPanel open in another tab and try to open a new one, the old tab is now logged out.

I realize security is important, but in my humble opinion, it's so so much easier to turn it off and I don't think the benefit is sufficient.

Maybe if I could somehow programmatically figure out the current session and create a little web app to open my common links instead of using bookmarks, that would be awesome. I believe I can sufficiently secure such a page. I'm not any god's gift to programming, but when I've written my little web apps, I've read a lot of tutorials on security and I think I'm doing a good job of securing that.....

So I mean, I'm open to better ideas, but at the moment my humble opinion is that the increased security of the sessions is totally not worth the many times it's interfered with what I'm doing.

I guess if I had an easy way of replicating the cPanel transfer button (listing all accounts in WHM), only 1) allowing for direct links to cPanel pages, and 2) some page that would allow me to set up "transfer" links into WHM... I could live with that, but I'm not sure where to start.

Either way, I hope my rambling isn't annoying, and I appreciate any ideas or attempts to convince me to turn it back on.

______________
¹ I don't remember the precise year I started hosting with cPanel, but I've been hosting websites since 1996. Doesn't mean I'm an expert, just that I don't believe I've had any cPanel or WHM unauthorized accesses in all that time. Other problems, yet - out of date WordPress and PHP scripts, so I've learned to keep those up to date. heh
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I'm probably over shooting the runway, but it seems to me you might be using cPanel different than I do and that's where my confusion is coming in here.

I realize security is important, but in my humble opinion, it's so so much easier to turn it off and I don't think the benefit is sufficient.
If you're the only one using cPanel, that's fine, I guess. If you're hosting other users though, security becomes essential.

Maybe if I could somehow programmatically figure out the current session and create a little web app to open my common links instead of using bookmarks, that would be awesome.
I assume here you mean by common links you mean different accounts? You do know you can login to your cPanel account and from there, login to other cPanel accounts owned by you via a simple build in menu, correct? There's no need to login to WHM and then go to accounts listing and get to your acccounts from there.
 

Ishware

Well-Known Member
Nov 7, 2003
203
6
168
Williamsburg, VA
cPanel Access Level
Root Administrator
After some further thought, I've re-enabled the tokens. But it still annoys me that I can't make bookmarks to certain pages without triggering the invalid token page, and in my experience, entering in the password on that page quite often doesn't work. Meh.

But security is probably better than my annoyance.

And let me clarify that I'm just venting a little. I love my cPanel, and depend on it. :)