Horde with cPanel session security tokens
It took us several months to conclude in this and it happens under very certain circumstances.
and in file
to display by default html messages. We noticed that behavior when some of our contacts have inline html images and when trying to view, reply or forward those emails using Horde. What happens is that the token being used in the image request does not match the token used in the webmail session that the email is viewed in, so it kills the session. This can be shown in the login and session logs.
If you wish I can provide a more detailed log. please give me an email address to send this. This token denied error happens each time the session dies in Horde. When I view source on the email that this occurs on, I see the incorrect token requested in one of the images. As long as security tokens are enabled on the server, the Horde session will continue to be disconnected when a request to a resource is made that uses an invalid token for the active session. This is why it happens when viewing some emails but not others. System Information
# grep token /var/cpanel/cpanel.config
xsrftokens=1and in file
/usr/local/cpanel/base/horde/imp/config/mime_drivers.local.php
$mime_drivers['html">['inline"> = true;to display by default html messages. We noticed that behavior when some of our contacts have inline html images and when trying to view, reply or forward those emails using Horde. What happens is that the token being used in the image request does not match the token used in the webmail session that the email is viewed in, so it kills the session. This can be shown in the login and session logs.
/usr/local/cpanel/logs/session_log
.....tokendenied [Too many token failures (3/3)].....
/usr/local/cpanel/logs/login_log
multiple errors of ...DEFERRED LOGIN webmaild: security token incorrect...
If you wish I can provide a more detailed log. please give me an email address to send this. This token denied error happens each time the session dies in Horde. When I view source on the email that this occurs on, I see the incorrect token requested in one of the images. As long as security tokens are enabled on the server, the Horde session will continue to be disconnected when a request to a resource is made that uses an invalid token for the active session. This is why it happens when viewing some emails but not others. System Information
[~]# /usr/local/cpanel/cpanel -V
60.0 (build 26)
[~]# grep '' /etc/redhat-release /usr/local/cpanel/version / var/cpanel/envtype ; grep CPANEL= /etc/cpupdate.conf ; httpd -v ; php -v ; mysql -V
/etc/redhat-release:CentOS release 6.8 (Final)
/usr/local/cpanel/version:11.60.0.26
/var/cpanel/envtype:kvm
CPANEL=release
Server version: Apache/2.4.23 (cPanel)
Server built: Nov 8 2016 16:57:01
ea-php-cli Copyright 2016 cPanel, Inc.
PHP 7.0.13 (cli) (built: Nov 14 2016 15:24:28) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
with Zend OPcache v7.0.13, Copyright (c) 1999-2016, by Zend Technologies
mysql Ver 15.1 Distrib 10.1.19-MariaDB, for Linux (x86_64) using readline 5.1
-
If you wish I can provide a more detailed log. please give me an email address to send this.
You should instead, open a ticket directly to cPanel Technical Support about this if you suspect a defect.0 -
Thanks I will. just wanted to mention it here in case someone else experiences this and has a solution other than disabling html messages in Horde or disabling security tokens in cPanel. Just did: Support request ID: 8053809 0
Please sign in to leave a comment.
Comments
2 comments