Making your script work with security tokens in cPanel & WHM

What is a security token? “Security token” URLs were added in cPanel & WHM 11.25 as a security measure, and they were enabled by default in version 11.28. They help combat a common type of attack called a Cross-Site Request Forgery (XSRF). So, what does a “security token” look like? Take, for example, this URL: https://example.com:2087/i/love/cpanel With security tokens enabled, this would become: https://example.com:2087/cpsessYYYYYYY/i/love/cpanel In that example, cpsessYYYYYYY is the token unique to that logged-in …

Spread the love

What is a security token?
“Security token” URLs were added in cPanel & WHM 11.25 as a security measure, and they were enabled by default in version 11.28. They help combat a common type of attack called a Cross-Site Request Forgery (XSRF).

So, what does a “security token” look like? Take, for example, this URL:
https://example.com:2087/i/love/cpanel

With security tokens enabled, this would become:
https://example.com:2087/cpsessYYYYYYY/i/love/cpanel

In that example, cpsessYYYYYYY is the token unique to that logged-in user on that browser. (You can learn more about security tokens in cPanel & WHM by reading our Security Tokens white paper.) In order for your custom script to work with cPanel & WHM, every URL involved needs to be compatible with the security token.

Creating security token-compatible URLs

Fortunately, it is very easy to do!

The token is available in the environment variable ‘cp_security_token’.

If security tokens are not in use, ‘cp_security_token’ will be an empty string.

If security tokens are in use, ‘cp_security_token’ will be, in terms of the above example: /cpsessYYYYYYY

Note the preceding slash! Since the variable has that slash, the examples will work whether cPanel & WHM has security tokens enabled or disabled.

  • Here’s how you’d use it in Perl code that calls one of our API URLS.
    Simply change this:

    my $APIurl = "http://127.0.0.1:2087/xml-api/$url";

    to this:

    my $APIurl = "http://127.0.0.1:2087$ENV{'cp_security_token'}/xml-api/$url";

  • Here’s how you might use it in JavaScript for, say, an AJAX call.
    First, make it available to your JavaScript. For example:

    print <<"END_SECURITY_TOKEN_JAVASCRIPT";

    if ( !("CPANEL" in window) ) CPANEL = {};
    CPANEL.security_token = "$ENV{'cp_security_token'}";

    END_SECURITY_TOKEN_JAVASCRIPT

    Next, make your URLs compatible by changing this:

    var ajaxURL = '/3rdparty/ZZZ/zzz.cgi';

    to this:

    var ajaxURL = CPANEL.security_token + '/3rdparty/ZZZ/zzz.cgi';

Facebook Comments

More Stuff

What is CloudLinux? Guest post provided by CloudLinuxReaching a high level of stability can be difficult, sometimes unachievable, for many shared hosting companies. Sud...
A General Overview of Database Mapping Inside of 11.25.1 we are introducing a new feature called “database mapping” .  Despite the vague name, this feature has huge implications for integra...
How to Build a cPanel Hosting Environment on Amazo... Let’s say you need to find hosting for multiple web applications with cPanel backend access so clients cannot access each other’s backends. What can y...
LivePHP Currently, if you want to write a Plugin for cPanel, you can write it in either LivePHP or cPPHP. Last year, we put some major effort into refactoring...
Spread the love

Posted by News Monkey