Cant login most of the time (no errors though)

[hedgehog]

For some reason i cant login in my Tb 1.1.0 most of the time. When i log in i get back to the login page without any errors. In 2-8 tries i manage to login, but once i press something in the admin 1-4 times (any tab, shipping/products/settings etc) i log out and stuck at the login page again. Same way in anonymous browser tab. Really strange, i have another tb 110 website and it works just fine. I managed to get rid of the problem by setting PS_COOKIE_CHECKIP to 0 in the database, but still is there any other ways to fix that?

[yaniv14]

My guess would be something related to your server/hosting.

I never had this kind of error.

I know some hosting use Apache webserver with mod_security that might cause problems. 

[AndyC]

I've had this before..Clear all your cache, browser in admin and host .. I think what is happening it is picking up a outdated version.. You may be different but try anyway 

[wakabayashi]

I believe that, Cookies can influence such things.

[datakick]

10 hours ago, hedgehog said:

I managed to get rid of the problem by setting PS_COOKIE_CHECKIP to 0 in the database, but still is there any other ways to fix that?

You answered yourself. Disable check cookie IP feature, and you are good to go.

What is the problem: The IP address the HTTP request arrived from to your server was different than the IP address for which original cookie was issued. Thirtybees detected this situation, and reacted accordingly -- disregard the request, and logged you out.

The Cookie IP address check feature is very outdated, and in my opinion it should be removed from the code. The original reason to have this was to prevent 'highjack cookie' attack. For example, if you were on a WIFI in the coffee shop, and logged-in to your store (without SSL), then anyone in the coffee shop could intercept the HTTP request, extract the cookie, and use it to gain access to your back office. The IP address check mechanism can prevent this because the new request comes from the different address... That's the theory. In practice, the attacker would share the IP address with you, because the coffee shop WIFI is behind some router with single public IP address. And so this IP check would not work at all here... The only correct way to prevent this attack is to always use SSL (https) connection. 

Note that there are many reasons why IP address changes. You ISP provider can have multiple gateways and load-balancing request between them. Or you can have your server behind cloudflare,... and many more. 

[hedgehog]

9 hours ago, datakick said:

You answered yourself. Disable check cookie IP feature, and you are good to go.

 

okay then, thanks. i though this one should be enabled all the time otherwise its a security flaw or something