Skip to main content

Webmail :: Disable the red security token notification?

Comments

17 comments

  • Infopro
    Have you tried closing all browser windows and then go back to Webmail and login properly, setting a new token?
    0
  • brt
    I'm not asking for myself. I constantly see it on clients' computers, and it really seems like a pretty pointless notification. What is it actually telling the average user? "Hey, sign back in, please." Except... they can see that without the notification.
    0
  • joako
    Sometimes I type the webmail URL and it shows the token error, I login then it takes me back to the login screen saying "you have logged out" Haven't bothered to report this bug since it's hard to give instructions to "sometimes you type the URL and this message shows up" and anyways Cpanel doesn't bother to fix any bugs that are reported.
    0
  • Infopro
    I'm not asking for myself. I constantly see it on clients' computers, and it really seems like a pretty pointless notification. What is it actually telling the average user? "Hey, sign back in, please." Except... they can see that without the notification.

    When do you see it exactly? Having a proper security token every time you login should be important. Opening multiple windows on the same account for one example might cause this sort of issue.
    0
  • joako
    I am able to reproduce it like this: 1. In google chrome login to webmail 2. Keep the browser open, but close the webmail tab 3. Visit the webmail login link (www.domain.com/webmail or
    -1
  • cPanelMichael
    Keep the browser open, but close the webmail tab

    Hello :) Do you experience the same behavior if you clear your browser cache before attempting to visit the webmail URL again? The steps you provided indicate security tokens are working as designed. Per our documentation (for users visiting this thread who are unfamiliar with them): cPanel & WHM includes security tokens to help combat XSRF attacks. The system inserts unique security tokens into the URL for a single login session. Any requests that a user makes without the appropriate token produce an error and result in a request for re-authentication. This action effectively stops XSRF attacks because the malicious URL will not contain the appropriate token. Thank you.
    0
  • brt
    Ok, and that's great, but let's remove the red notice because it's pointless. If someone hits a login screen, this is 2015; they know their session has expired, or for whatever reason it's asking to re-login again. The problem isn't that they're somehow losing the token mid-session, but if you come back the next day [when you would expect to log in again] you don't just get a login form, you get an error as well. Throwing an error on the screen rather than just a login form is the problem here, as it implies there's a problem.
    0
  • Infopro
    Sounds to me like you've bookmarked the page once you got to it (and it has the session ID in the URL). Try editing your bookmark to be, just:
    0
  • brt
    Sounds to me like you've bookmarked the page once you got to it (and it has the session ID in the URL). Try editing your bookmark to be, just:
    0
  • Infopro
    I've got no clue what I'm doing but...
    I don't understand why when you come to the proper URL, even if you didn't actually sign out and have a previous active session open, why you get a session -error- message rather than just a login page.

    That's a new session.
    0
  • brt
    Yes, it is........ and I still insist that this doesn't warrant a big red error message, or any notification, for that matter. Just the regular login prompt. Is this really that hard to understand? A red warning message implies that something is amiss, and it confuses the technically challenged. They simply need to log in again. Nothing that warrants a big red error message.
    0
  • Infopro
    Is this really that hard to understand?

    No, I'm following along just fine, I think, thanks. ;)
    A red warning message implies that something is amiss, and it confuses the technically challenged.

    I think that's the idea. Not the latter, the former. Something is amiss. Proper browser sessions are important, more now than ever before.
    ...get rid of the ugly...

    It may be ugly, but, you/your clients get the point by it's ugliness, I think. Your session is important and should be secured. More Info: Session (computer science) - Wikipedia
    0
  • brt
    This is still not getting through, for some reason... I understand the session. I think that should stay as it is. If someone logs in, reads their email, closes the tab, and then even one minute later types domain.tld/webmail, yes, it should ask them to log in again. I don't have any issue with that so far. I don't think there should be a red error message, however, as there is no problem. They simply need to log in again. So just display the login page as if there is no "missing session".
    0
  • Infopro
    New This is still not getting through, for some reason...

    It is.
    0
  • joako
    Hello :) Do you experience the same behavior if you clear your browser cache before attempting to visit the webmail URL again? The steps you provided indicate security tokens are working as designed. Per our documentation (for users visiting this thread who are unfamiliar with them): cPanel & WHM includes security tokens to help combat XSRF attacks. The system inserts unique security tokens into the URL for a single login session. Any requests that a user makes without the appropriate token produce an error and result in a request for re-authentication. This action effectively stops XSRF attacks because the malicious URL will not contain the appropriate token. Thank you.

    I have not tried to clear the cache and cookies but I would assume that if you did there would be no red error message. Perhaps the message should be more user-friendly such as "Your session has expired. Please login again"
    0
  • brt
    The question is: Why is any message required here at all? If I go to Facebook, or Google, or most any other site and I'm not logged in, I don't get a message about my session expiring; I get a login page, plain and simple. Keep the session expiration, keep all of the security aspects of this as they are. Simply ditch the error message and give a standard login page as normal.
    0
  • cPanelMichael
    I suggest opening a feature request if you want to see a change in this behavior: Submit A Feature Request Thank you.
    0

Please sign in to leave a comment.