Webmail :: Disable the red security token notification?

brt

Well-Known Member
Jul 9, 2015
105
10
68
US
cPanel Access Level
Root Administrator
Is there any way to completely get rid of the ugly "The security token is missing from your request." notification that's so often on the webmail login page?

It clutters up a nice, clean login page.
 

Attachments

brt

Well-Known Member
Jul 9, 2015
105
10
68
US
cPanel Access Level
Root Administrator
I'm not asking for myself. I constantly see it on clients' computers, and it really seems like a pretty pointless notification.
What is it actually telling the average user? "Hey, sign back in, please." Except... they can see that without the notification.
 

joako

Well-Known Member
Aug 7, 2003
112
2
168
cPanel Access Level
DataCenter Provider
Sometimes I type the webmail URL and it shows the token error, I login then it takes me back to the login screen saying "you have logged out"

Haven't bothered to report this bug since it's hard to give instructions to "sometimes you type the URL and this message shows up" and anyways Cpanel doesn't bother to fix any bugs that are reported.
 

Infopro

Well-Known Member
May 20, 2003
17,076
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I'm not asking for myself. I constantly see it on clients' computers, and it really seems like a pretty pointless notification.
What is it actually telling the average user? "Hey, sign back in, please." Except... they can see that without the notification.
When do you see it exactly? Having a proper security token every time you login should be important.

Opening multiple windows on the same account for one example might cause this sort of issue.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Keep the browser open, but close the webmail tab
Hello :)

Do you experience the same behavior if you clear your browser cache before attempting to visit the webmail URL again? The steps you provided indicate security tokens are working as designed. Per our documentation (for users visiting this thread who are unfamiliar with them):

cPanel & WHM includes security tokens to help combat XSRF attacks. The system inserts unique security tokens into the URL for a single login session. Any requests that a user makes without the appropriate token produce an error and result in a request for re-authentication. This action effectively stops XSRF attacks because the malicious URL will not contain the appropriate token.

Thank you.
 

brt

Well-Known Member
Jul 9, 2015
105
10
68
US
cPanel Access Level
Root Administrator
Ok, and that's great, but let's remove the red notice because it's pointless. If someone hits a login screen, this is 2015; they know their session has expired, or for whatever reason it's asking to re-login again.

The problem isn't that they're somehow losing the token mid-session, but if you come back the next day [when you would expect to log in again] you don't just get a login form, you get an error as well.

Throwing an error on the screen rather than just a login form is the problem here, as it implies there's a problem.
 

brt

Well-Known Member
Jul 9, 2015
105
10
68
US
cPanel Access Level
Root Administrator
Sounds to me like you've bookmarked the page once you got to it (and it has the session ID in the URL).

Try editing your bookmark to be, just: http://domain.com/webmail

If you came back the next day and just typed in domain.com/webmail you should be getting a new session ID as well, and not seeing the error.
No -- see post #6 above to reproduce. I don't want to play the "I know what I'm doing" card because I hate it when people act like that but I'm not just some random end user; we host hundreds of websites for our clients and get asked about this quite a lot and I don't understand why when you come to the proper URL, even if you didn't actually sign out and have a previous active session open, why you get a session -error- message rather than just a login page.
 
Last edited:

brt

Well-Known Member
Jul 9, 2015
105
10
68
US
cPanel Access Level
Root Administrator
Yes, it is........ and I still insist that this doesn't warrant a big red error message, or any notification, for that matter. Just the regular login prompt.

Is this really that hard to understand? A red warning message implies that something is amiss, and it confuses the technically challenged. They simply need to log in again. Nothing that warrants a big red error message.
 

Infopro

Well-Known Member
May 20, 2003
17,076
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Is this really that hard to understand?
No, I'm following along just fine, I think, thanks. ;)

A red warning message implies that something is amiss, and it confuses the technically challenged.
I think that's the idea. Not the latter, the former. Something is amiss.

Proper browser sessions are important, more now than ever before.

...get rid of the ugly...
It may be ugly, but, you/your clients get the point by it's ugliness, I think. Your session is important and should be secured. More Info:

Session (computer science) - Wikipedia
 

brt

Well-Known Member
Jul 9, 2015
105
10
68
US
cPanel Access Level
Root Administrator
This is still not getting through, for some reason...

I understand the session. I think that should stay as it is. If someone logs in, reads their email, closes the tab, and then even one minute later types domain.tld/webmail, yes, it should ask them to log in again. I don't have any issue with that so far.

I don't think there should be a red error message, however, as there is no problem. They simply need to log in again. So just display the login page as if there is no "missing session".
 

joako

Well-Known Member
Aug 7, 2003
112
2
168
cPanel Access Level
DataCenter Provider
Hello :)

Do you experience the same behavior if you clear your browser cache before attempting to visit the webmail URL again? The steps you provided indicate security tokens are working as designed. Per our documentation (for users visiting this thread who are unfamiliar with them):

cPanel & WHM includes security tokens to help combat XSRF attacks. The system inserts unique security tokens into the URL for a single login session. Any requests that a user makes without the appropriate token produce an error and result in a request for re-authentication. This action effectively stops XSRF attacks because the malicious URL will not contain the appropriate token.

Thank you.
I have not tried to clear the cache and cookies but I would assume that if you did there would be no red error message.

Perhaps the message should be more user-friendly such as "Your session has expired. Please login again"
 

brt

Well-Known Member
Jul 9, 2015
105
10
68
US
cPanel Access Level
Root Administrator
The question is: Why is any message required here at all? If I go to Facebook, or Google, or most any other site and I'm not logged in, I don't get a message about my session expiring; I get a login page, plain and simple.

Keep the session expiration, keep all of the security aspects of this as they are. Simply ditch the error message and give a standard login page as normal.