The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

With Security Tokens forced on - Nothing can be bookmarked!

Discussion in 'Security' started by wdwms, May 2, 2013.

  1. wdwms

    wdwms Member

    Joined:
    Jan 31, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Greetings,
    For years we've had all sorts of URLs bookmarked in cpanel for easy access: email, awstats, mysql, etc. However with the release of 11.38, Security Tokens is turned on and can not be turned off. As a result, nothing can be bookmarked as the URL now has the cpsession number in it. This results in us having to re login every time, navigate through the cpanel menus, etc.

    Is there any solution to allow quick and easy access to the items we have book marked? Its one thing to have to type a password to access, but another to have to click through 3-4 screens!

    Thanks!

    -t
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sure, the search box, top left corner. Once you typed in email, clicked it in result, next time you login it's listed on the Frequently Accessed Areas box, just below the search.
    Step one, login. Step 2 click FAA link. Best part is, you're secured.


    Probably not what you're hoping for I bet, but that's the preferred way I would think, for security reasons.
     
  3. wdwms

    wdwms Member

    Joined:
    Jan 31, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Not what we want at all.. that still is too many clicks.. we used to be able to hit a book mark and easily bring up pages. Additionally, some of our admins don't need to see all the other options, the just want to see stats or such. Now we have to rout them through something that could cause them to click on crap they don't need to touch.

    For example, in the past, a marketing person just had a link to the AWstats. He had the id/password, would click the bookmark we gave him, review the stats and he was done.

    now its a disaster.. there has got to be a better solution for this!
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    But he still has access to the entire account, never the less. And the connection is properly secured.

    Please feel free to open a Feature Request for less clicks here if you like:
    http://forums.cpanel.net/cpfeatures.php

    Thanks!
     
  5. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    You should still be able to bookmark the page with security tokens. You will just need to reauthenticate if the security token does not match so a new one can be generated.

    Which browser are you using?

    Thanks
     
  6. wdwms

    wdwms Member

    Joined:
    Jan 31, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Because CPSession is now in the URL, the bookmarks are invalid. And the redirection from Cpanel does not redirect you to the correct URL. It does work for PHPmyadmin (from WHM) but awstats does not work

    I understand security, i work in it full time for a major software company, but this is a terrible implementation.
     
  7. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    I was not able to replicate this problem in any of our testing enviorments. Would you kindly open a ticket using the link in my signature so we can help disanose this?

    If you have a method of implementing xsrf protection without the need to make sweeping changes that will also work for third party integrators, we would be very intrested in learning about it.
    Thanks
     
  8. wdwms

    wdwms Member

    Joined:
    Jan 31, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Nick, i've gone ahead and opened the support request for you: 4080751

    As for giving you ideas; our software does 1 thing - Single Sign on for enterprise wide infrastructures and web apps. I can't divulge any information but there are better ways to do this. Hope you can respect my position.

    Thanks
     
  9. c4n

    c4n Registered

    Joined:
    Sep 9, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Same here, the bookmarked URLs don't work anymore because of the "token doesn't match" error.

    I understand tokens are required to fight CSRF, but it's annoying and there really should be a way of turning tokens off for users who know why they want that.
     
  10. c4n

    c4n Registered

    Joined:
    Sep 9, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Great, and it also won't let me downgrade to 11.36.1.5 :mad:
     
  11. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Can you try turning off Enable HTTP Authentication in Home » Server Configuration » Tweak Settings? The link should work with that disabled.
     
  12. Jeet

    Jeet Member

    Joined:
    May 20, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Same issue here.. :mad:

    What was wrong with making this feature optional as before? Those who think they need additional security could have opted for it anyway. Please bring this option back in "tweak settings".
     
Loading...

Share This Page