Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Turned off cPanel sessions now sometimes can't switch to cPanel from WHM?

Discussion in 'Security' started by Ishware, Feb 8, 2018.

  1. Ishware

    Ishware Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    182
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Panama City, FL
    cPanel Access Level:
    Root Administrator
    I assume there's some cache of sessions or something somewhere.

    For some sites, when I click to switch to cPanel from WHM, I get prompted that my cpsession isn't valid - but I just turned that off. For some sites it works, others it doesn't.

    I can confirm I successfully turned it off because it no longer appears in the URL and I'm able to load my favorite WHM URLs now from bookmarks - which is why I turned it off in the first place.

    So it must be storing these sessions somewhere that I need to remove.
     
  2. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    27
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    Hi,

    Could you be more specific? Exactly which feature/setting did you disable?

    Thanks,
     
  3. Ishware

    Ishware Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    182
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Panama City, FL
    cPanel Access Level:
    Root Administrator
    Apologies, assumed you'd magically read my mind and know every little thing offhand. lol. Serious on the apology.

    I set disable-security-tokens=1 in /car/cpanel/cpanel.conf (and then ran the script per the suggestion at the top of that file).

    And actually, I haven't run into the error for a while, but one of my reseller clients consistently can't transfer. She's prompted that her token is invalid and she needs to login, which doesn't work. She can log in to cPanel by using the subdomain, i.e. cpanel.example.com.
     
  4. Ishware

    Ishware Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    182
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Panama City, FL
    cPanel Access Level:
    Root Administrator
    Screenshot: 2018-02-10 00_39_17-cPanel Login.png
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,009
    Likes Received:
    341
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Why are you disabling security tokens?
     
  6. Ishware

    Ishware Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    182
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Panama City, FL
    cPanel Access Level:
    Root Administrator
    Before they existed, I don't believe anyone ever got into my cPanel or WHM that shouldn't've¹. I believe I'm otherwise sufficiently protected.

    And the downside is that I can't use bookmarks to get to frequently used pages, because the bookmark would never have a valid session in the URL. And in cases where I forget I have WHM or cPanel open in another tab and try to open a new one, the old tab is now logged out.

    I realize security is important, but in my humble opinion, it's so so much easier to turn it off and I don't think the benefit is sufficient.

    Maybe if I could somehow programmatically figure out the current session and create a little web app to open my common links instead of using bookmarks, that would be awesome. I believe I can sufficiently secure such a page. I'm not any god's gift to programming, but when I've written my little web apps, I've read a lot of tutorials on security and I think I'm doing a good job of securing that.....

    So I mean, I'm open to better ideas, but at the moment my humble opinion is that the increased security of the sessions is totally not worth the many times it's interfered with what I'm doing.

    I guess if I had an easy way of replicating the cPanel transfer button (listing all accounts in WHM), only 1) allowing for direct links to cPanel pages, and 2) some page that would allow me to set up "transfer" links into WHM... I could live with that, but I'm not sure where to start.

    Either way, I hope my rambling isn't annoying, and I appreciate any ideas or attempts to convince me to turn it back on.

    ______________
    ¹ I don't remember the precise year I started hosting with cPanel, but I've been hosting websites since 1996. Doesn't mean I'm an expert, just that I don't believe I've had any cPanel or WHM unauthorized accesses in all that time. Other problems, yet - out of date WordPress and PHP scripts, so I've learned to keep those up to date. heh
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,009
    Likes Received:
    341
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm probably over shooting the runway, but it seems to me you might be using cPanel different than I do and that's where my confusion is coming in here.

    If you're the only one using cPanel, that's fine, I guess. If you're hosting other users though, security becomes essential.

    I assume here you mean by common links you mean different accounts? You do know you can login to your cPanel account and from there, login to other cPanel accounts owned by you via a simple build in menu, correct? There's no need to login to WHM and then go to accounts listing and get to your acccounts from there.
     
  8. Ishware

    Ishware Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    182
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Panama City, FL
    cPanel Access Level:
    Root Administrator
    After some further thought, I've re-enabled the tokens. But it still annoys me that I can't make bookmarks to certain pages without triggering the invalid token page, and in my experience, entering in the password on that page quite often doesn't work. Meh.

    But security is probably better than my annoyance.

    And let me clarify that I'm just venting a little. I love my cPanel, and depend on it. :)
     
Loading...

Share This Page