Havouza Posted June 20, 2021 Share Posted June 20, 2021 Suddenly I get logged out from BO all the time. Nothing has been changed in ages. What can be the problem? Link to comment Share on other sites More sharing options...
Wartin Posted June 20, 2021 Share Posted June 20, 2021 Hello Maybe different cookie management of the browser? did you updated your browser? You can try another one. Link to comment Share on other sites More sharing options...
Havouza Posted June 20, 2021 Author Share Posted June 20, 2021 Found the setting dont check cokie ip. Now it seems ok again. Was old post about it in the forum. 1 Link to comment Share on other sites More sharing options...
Havouza Posted June 20, 2021 Author Share Posted June 20, 2021 The problem came fron activating the cloudflare proxy. Link to comment Share on other sites More sharing options...
datakick Posted June 21, 2021 Share Posted June 21, 2021 12 hours ago, Havouza said: The problem came fron activating the cloudflare proxy. Yeah, that's common issue. Once you are behind network proxy like cloudflare, requests from the same browser can reach your site from different ip addresses (that belongs to cloudflare). The safety mechanism kicks in, and your back office session is closed. If you want to use cloudflare, you need to disable IP check in the cookies, or modify core to correctly determine real source IP address (cloudflare sends this one in http header, but thirtybees ignores it) Link to comment Share on other sites More sharing options...
Havouza Posted June 21, 2021 Author Share Posted June 21, 2021 @datakick does this mean that using proxy in reality is less secure than checking cookie ip? Link to comment Share on other sites More sharing options...
datakick Posted June 21, 2021 Share Posted June 21, 2021 5 minutes ago, Havouza said: @datakick does this mean that using proxy in reality is less secure than checking cookie ip? When you log in to your back office, thirtybees will store your current IP address inside the cookie. On every request, the store will check that the IP address stored from the cookie matches the IP address of the request. If the request comes from different IP address, it will ignore the request, and close the session. When you are behind cloudflare proxy server, end user (browser) communicate with cloudflare proxy server instead of your site. When cloudflare can't handle the request from cache, it will contact your server to get retrieve content. This server->server communication is performed by one of the hundreds of cloudflare servers they have in their pool. Which one will be selected to do the job is entirely up to cloudflare. The end result is that every request to your site can, and usually will, come from different IP address belonging to cloudflare. And thats the reason why 'check ip address in cookie' feature does not work properly with cloudflare. As I wrote, there are two ways to fix this. You can either disable this check - yes, that will make your store slightly less secure, but if you are using https you should be pretty much fine. Alternative is to retrieve and use real end-user IP address that cloudflare sends in header. You can do this by modifying php code. I personally do this by putting another nginx server in front of my php server, this nginx do this translation automatically. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now