Jump to content
thirty bees forum
  • 0

Cant login most of the time (no errors though)


hedgehog

Question

For some reason i cant login in my Tb 1.1.0 most of the time. When i log in i get back to the login page without any errors. In 2-8 tries i manage to login, but once i press something in the admin 1-4 times (any tab, shipping/products/settings etc) i log out and stuck at the login page again. Same way in anonymous browser tab. Really strange, i have another tb 110 website and it works just fine. I managed to get rid of the problem by setting PS_COOKIE_CHECKIP to 0 in the database, but still is there any other ways to fix that?

Link to comment
Share on other sites

5 answers to this question

Recommended Posts

  • 0
10 hours ago, hedgehog said:

I managed to get rid of the problem by setting PS_COOKIE_CHECKIP to 0 in the database, but still is there any other ways to fix that?

You answered yourself. Disable check cookie IP feature, and you are good to go.

What is the problem: The IP address the HTTP request arrived from to your server was different than the IP address for which original cookie was issued. Thirtybees detected this situation, and reacted accordingly -- disregard the request, and logged you out.

The Cookie IP address check feature is very outdated, and in my opinion it should be removed from the code. The original reason to have this was to prevent 'highjack cookie' attack. For example, if you were on a WIFI in the coffee shop, and logged-in to your store (without SSL), then anyone in the coffee shop could intercept the HTTP request, extract the cookie, and use it to gain access to your back office. The IP address check mechanism can prevent this because the new request comes from the different address... That's the theory. In practice, the attacker would share the IP address with you, because the coffee shop WIFI is behind some router with single public IP address. And so this IP check would not work at all here... The only correct way to prevent this attack is to always use SSL (https) connection. 

Note that there are many reasons why IP address changes. You ISP provider can have multiple gateways and load-balancing request between them. Or you can have your server behind cloudflare,... and many more. 

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...