Cookie IP validation Per Reseller / CPanel ?

frenz

• November 20, 2014 15:36

Dear Sir, Is the Cookie IP validation a global setting ? Can it be set at Reseller Level or even Per CPanel ? Some Resellers do NOT want it enabled or maybe configurable per Reseller / CPanel account. Possible ? Thanks

• 

  24x7ss

  • November 21, 2014 12:03

  Hello :) Yes, it is a global setting and you can disable it from Security settings but disabling it is not recommended as this limits the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces.

  0
• 

  frenz

  • November 21, 2014 14:11

  ]Hello :) Yes, it is a global setting and you can disable it from Security settings but disabling it is not recommended as this limits the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces.

  
  Dear Sir, Not disabled but changed to Loose per Reseller / CPanel level as per request. Some users connect via mobile Internet and their IPs keep changing from time to time even during constant connection. Often, they were just kicked out suddenly 5 times within 10 minutes while working in the File Manager.

  0
• 

  cPanelMichael

  • November 21, 2014 14:47

  Hello :) This is a global setting that is not configurable on a per-domain or per-reseller basis. Thank you.

  0
• 

  frenz

  • November 21, 2014 16:02

  ]Hello :) This is a global setting that is not configurable on a per-domain or per-reseller basis. Thank you.

  
  Dear Sir, Will this become available in future release ?

  0
• 

  cPanelMichael

  • November 21, 2014 18:36

  Per the description of this option: Validate the IP addresses used in all cookie-based logins. This will limit the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces. For this setting to have maximum effectiveness, proxydomains should also be disabled. Strict validation requires the current IP address and the cookie IP address to exactly match. Loose validation only requires they are in the same /24. Due to the nature of this option, it's not something that's username based. Thus, it can't be applied to individual accounts. Thank you.

  0

Please sign in to leave a comment.