Activities

March 2010
M T W T F S S
« Feb   Apr »
1234567
891011121314
15161718192021
22232425262728
293031  

How do I disable Http authentication on WHM/Cpanel ?

The design of HTTP Authentication does not allow for logging out of an authenticated session. Once a HTTP Authentication
session is established, the credentials are cached by the browser until the browser application is terminated. Some
browsers allow a method to flush the credentials, but this method is not reliable nor available in all browsers. Because the
authetication credentials are cached they are a likely target for cross-site request forgery attacks, often known as XSRF
or CSRF.

Due to the inherit weaknesses of HTTP Authenitcation cPanel recommends disabling its use with the product. This is
done by checking the box of the Tweak Setting labeled. Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication.) This will help prevent certain types of XSRF attacks that rely on cached Http Auth credentials.

Login to your WHM/Cpanel server
Main >> Server Configuration >> Tweak Settings

You can find a entry ” Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication.) This will help prevent certain types of XSRF attacks that rely on cached Http Auth credentials” . under security settings.

Make sure the check box is ticked and save the settings. Eventhough it was shown ticked with my default WHM installation, but not worked. After I am saving the settings I got a messages like

” Updating “Skip HTTP Authentication” from “” to “1”.
“Skip HTTP Authentication” was updated.”

After that everything will showing up correctly.

5 comments to How do I disable Http authentication on WHM/Cpanel ?

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>