What are the disadvantage of disabling log out on IP change feature. ?

Vijayakumar J R

Active Member
Jul 15, 2019
30
0
6
banglore
cPanel Access Level
Root Administrator
Hello Team

I am using Cpanel for my project. I am coming out from Cpanel session every time whenever my public Ip changes.
So what are the disadvantages of disabling "log out on IP change" feature other than man-in-the-middle attack and if we enable HSTS, is it still required?

Awaiting for your response.

Thanks
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,269
313
Houston
Hello,

You cannot enable HSTS for cPanel services at this time but it can be done for your sites, though this would have no bearing on cPanel logins. For the specific setting are you referencing Cooking IP validation? The full details of that setting are as follows:
Cookie IP validation
Validate the IP addresses used in all cookie-based logins. This will limit the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces. For this setting to have maximum effectiveness, proxydomains should also be disabled. Strict validation requires the current IP address and the cookie IP address to exactly match. Loose validation only requires they are in the same /24.
And in the docs:

https://docs.cpanel.net/whm/server-configuration/tweak-settings/88/ said:
Cookie IP validationThis setting validates IP addresses for cookie-based logins. This denies attackers the ability to capture cPanel session cookies in order to gain access to your server’s cPanel & WHM interfaces.
  • We strongly recommend that you do not rely on cookie-based IP validation.
  • When you enable this setting, we recommend that you disable the Service subdomains and Service subdomain creation settings.
  • disabled — The system does not validate IP addresses.
  • loose — The system requires that the access IP address and the cookie IP address must be in the same class C subnet.
  • strict — The system requires that the access IP address and the cookie IP address match exactly.
strict