In Progress CPANEL-43326 - The security token is missing from your request.

[AndyX]

Please eliminate this erroneous message:



In Firefox I have my preference set to delete all cookies when I exit Firefox. So the "The security token is missing from your request" will always show no matter what I do. I don't think the message serves any useful purpose and should be eliminated.

Thank you.

 

[cPJustinD]

Hello AndyX! Are you accessing the cPanel or WHM login from a bookmark that contains a session token or ID?

 

[AndyX]

Hi Justin,

I access from a bookmark, here's an example of the URL:

https://domain.com:2083/

 

[cPJustinD]

I was able to replicate this; however, this appears to be expected behavior. If you would like, you can submit a feature request using the "Submit a Feature Request" link in my signature.

Our feature request site is actively reviewed and curated by our development team to identify potential future build plans and accept ideas and suggestions from our community. Adding a feature request here will allow the rest of cPanel's users to vote for it if it's something they would like to see implemented as well.

While we cannot guarantee that all requests will be accepted, this is the best way to make suggestions visible to the teams that build cPanel.

Additionally, you can also open a support ticket using the "Submit a ticket" link in my description to see if our analyst may be able to determine a workaround for the issue. If you decide to open a ticket, please provide the ticket number here to follow the ticket and update this thread with the resolution if possible.

 

[AndyX]

I submitted the feature request.

https://features.cpanel.net/topic/22136-the-security-token-is-missing-from-your-request

 

[cPJustinD]

You can also prevent this warning by logging out of the cPanel account properly before closing the browser. I tested this myself, and I no longer experiencing the warning upon the next login. The only additional step involved here is clicking the Logout option in cPanel before closing the browser.

I hope that this helps!

 

[AndyX]

You can also prevent this warning by logging out of the cPanel account properly before closing the browser. I tested this myself, and I no longer experiencing the warning upon the next login. The only additional step involved here is clicking the Logout option in cPanel before closing the browser.

I hope that this helps!

Hi Justin,

Sorry but this does not solve the issue. Logging out only sets a cookie. However as I explained in my first post, I use Firefox and the preference setting is to delete all cookies when I exit Firefox. so logging out "properly" is not a solution. The solution is to eliminate this erogenous message which is only found on cPanel and nowhere else on any other websites that I know of.

 

[cPJustinD]

I'm sorry to hear that. With that being said, I do see that the feature request has been submitted. Other users in the community experiencing this issue can now vote on the feature request, further allowing our developers to review and consider this request.

Thanks!

 

[AndyX]

Update on this bug. If cookies are cleared and I open a new tab and go to the following URL:

https://domain.com:2083

the login page does not show the "The security token is missing from your request." error message. However if I'm already logged into cPanel on one tab and I open a new tab, go to cPanel URL I get the "The security token is missing from your request." error message and a login page. This seams to be a bug, I'm already logged into cPanel on another tab, why does the second tab initiate a login, it should just go directly into cPanel home page.

 

[cPanelAnthony]

Hello! I can't seem to replicate this as of yet. I am guessing you're able to fully replicate it without issue? Would you be able to open a ticket using the link in my signature, or ask your web hosting provider to do so if you can't? I believe this would warrant a look. Please update me with the ticket ID if you do so.

 

[AndyX]

I am guessing you're able to fully replicate it without issue?

Yes I can replicate on many of the web hosting accounts I have at KnownHost. I asked KnownHost's tech support about this issue and they tell me:

This is actually the expected behavior of cPanel. It behaves like this so that a valid security token can not be pulled from your current active session and then used on another session somewhere else. This is what is known as cross site request forgery.

This article has some details on those:

https://owasp.org/www-community/attacks/csrf

 

[AndyX]

It sure would be nice if cPanel just eliminated this warning message.



The message is redundant and only serves to warn about nothing. It's pretty obvious a log in is required.

 

[cPRex]

@AndyX - I agree. I've made improvement case CPANEL-43326 to let our developers know, and maybe we can change or remove that in a future release, since it really just confuses the end user.

 

[AndyX]

Thank you, Rex.

 

[cPRex]

It looks like this thread was originally started during some days I had off, or else I would have done this for you years ago :D