With Security Tokens forced on - Nothing can be bookmarked!

wdwms

Member
Jan 31, 2005
16
0
151
Greetings,
For years we've had all sorts of URLs bookmarked in cpanel for easy access: email, awstats, mysql, etc. However with the release of 11.38, Security Tokens is turned on and can not be turned off. As a result, nothing can be bookmarked as the URL now has the cpsession number in it. This results in us having to re login every time, navigate through the cpanel menus, etc.

Is there any solution to allow quick and easy access to the items we have book marked? Its one thing to have to type a password to access, but another to have to click through 3-4 screens!

Thanks!

-t
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Sure, the search box, top left corner. Once you typed in email, clicked it in result, next time you login it's listed on the Frequently Accessed Areas box, just below the search.
Step one, login. Step 2 click FAA link. Best part is, you're secured.


Probably not what you're hoping for I bet, but that's the preferred way I would think, for security reasons.
 

wdwms

Member
Jan 31, 2005
16
0
151
Not what we want at all.. that still is too many clicks.. we used to be able to hit a book mark and easily bring up pages. Additionally, some of our admins don't need to see all the other options, the just want to see stats or such. Now we have to rout them through something that could cause them to click on crap they don't need to touch.

For example, in the past, a marketing person just had a link to the AWstats. He had the id/password, would click the bookmark we gave him, review the stats and he was done.

now its a disaster.. there has got to be a better solution for this!
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
He had the id/password, would click the bookmark we gave him, review the stats and he was done.
But he still has access to the entire account, never the less. And the connection is properly secured.

Please feel free to open a Feature Request for less clicks here if you like:
http://forums.cpanel.net/cpfeatures.php

Thanks!
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
You should still be able to bookmark the page with security tokens. You will just need to reauthenticate if the security token does not match so a new one can be generated.

Which browser are you using?

Thanks
 

wdwms

Member
Jan 31, 2005
16
0
151
You should still be able to bookmark the page with security tokens. You will just need to reauthenticate if the security token does not match so a new one can be generated.

Which browser are you using?

Thanks
Because CPSession is now in the URL, the bookmarks are invalid. And the redirection from Cpanel does not redirect you to the correct URL. It does work for PHPmyadmin (from WHM) but awstats does not work

I understand security, i work in it full time for a major software company, but this is a terrible implementation.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
Because CPSession is now in the URL, the bookmarks are invalid. And the redirection from Cpanel does not redirect you to the correct URL. It does work for PHPmyadmin (from WHM) but awstats does not work
I was not able to replicate this problem in any of our testing enviorments. Would you kindly open a ticket using the link in my signature so we can help disanose this?

I understand security, i work in it full time for a major software company, but this is a terrible implementation.
If you have a method of implementing xsrf protection without the need to make sweeping changes that will also work for third party integrators, we would be very intrested in learning about it.
Thanks
 

wdwms

Member
Jan 31, 2005
16
0
151
I was not able to replicate this problem in any of our testing enviorments. Would you kindly open a ticket using the link in my signature so we can help disanose this?

If you have a method of implementing xsrf protection without the need to make sweeping changes that will also work for third party integrators, we would be very intrested in learning about it.
Thanks
Nick, i've gone ahead and opened the support request for you: 4080751

As for giving you ideas; our software does 1 thing - Single Sign on for enterprise wide infrastructures and web apps. I can't divulge any information but there are better ways to do this. Hope you can respect my position.

Thanks
 

c4n

Member
Sep 9, 2006
12
2
153
Same here, the bookmarked URLs don't work anymore because of the "token doesn't match" error.

I understand tokens are required to fight CSRF, but it's annoying and there really should be a way of turning tokens off for users who know why they want that.
 

Jeet

Member
May 20, 2012
6
0
51
cPanel Access Level
Root Administrator
Same issue here.. :mad:

What was wrong with making this feature optional as before? Those who think they need additional security could have opted for it anyway. Please bring this option back in "tweak settings".