Get logged out from BO all the time

[Havouza]

Suddenly I get logged out from BO all the time. Nothing has been changed in ages. What can be the problem?

[Wartin]

Hello

Maybe different cookie management of the browser? did you updated your browser? You can try another one.

[Havouza]

Found the setting dont check cokie ip. Now it seems ok again. Was old post about it in the forum.

[Havouza]

The problem came fron activating the cloudflare proxy. 

[datakick]

12 hours ago, Havouza said:

The problem came fron activating the cloudflare proxy. 

Yeah, that's common issue. Once you are behind network proxy like cloudflare, requests from the same browser can reach your site from different ip addresses (that belongs to cloudflare).

The safety mechanism kicks in, and your back office session is closed. 

If you want to use cloudflare, you need to disable IP check in the cookies, or modify core to correctly determine real source IP address (cloudflare sends this one in http header, but thirtybees ignores it)

[Havouza]

@datakick does this mean that using proxy in reality is less secure than checking cookie ip?

[datakick]

5 minutes ago, Havouza said:

@datakick does this mean that using proxy in reality is less secure than checking cookie ip?

When you log in to your back office, thirtybees will store your current IP address inside the cookie. On every request, the store will check that the IP address stored from the cookie matches the IP address of the request. If the request comes from different IP address, it will ignore the request, and close the session. 

When you are behind cloudflare proxy server, end user (browser) communicate with cloudflare proxy server instead of your site. When cloudflare can't handle the request from cache, it will contact your server to get retrieve content. This server->server communication is performed by one of the hundreds of cloudflare servers they have in their pool. Which one will be selected to do the job is entirely up to cloudflare. The end result is that every request to your site can, and usually will, come from different IP address belonging to cloudflare.

And thats the reason why 'check ip address in cookie' feature does not work properly with cloudflare.  

As I wrote, there are two ways to fix this. You can either disable this check - yes, that will make your store slightly less secure, but if you are using https you should be pretty much fine. Alternative is to retrieve and use real end-user IP address that cloudflare sends in header. You can do this by modifying php code. I personally do this by putting another nginx server in front of my php server, this nginx do this translation automatically.