Jump to content
thirty bees forum

Get logged out from BO all the time


Recommended Posts

12 hours ago, Havouza said:

The problem came fron activating the cloudflare proxy. 

Yeah, that's common issue. Once you are behind network proxy like cloudflare, requests from the same browser can reach your site from different ip addresses (that belongs to cloudflare).

The safety mechanism kicks in, and your back office session is closed. 

If you want to use cloudflare, you need to disable IP check in the cookies, or modify core to correctly determine real source IP address (cloudflare sends this one in http header, but thirtybees ignores it)

Link to comment
Share on other sites

5 minutes ago, Havouza said:

@datakick does this mean that using proxy in reality is less secure than checking cookie ip?

When you log in to your back office, thirtybees will store your current IP address inside the cookie. On every request, the store will check that the IP address stored from the cookie matches the IP address of the request. If the request comes from different IP address, it will ignore the request, and close the session. 

When you are behind cloudflare proxy server, end user (browser) communicate with cloudflare proxy server instead of your site. When cloudflare can't handle the request from cache, it will contact your server to get retrieve content. This server->server communication is performed by one of the hundreds of cloudflare servers they have in their pool. Which one will be selected to do the job is entirely up to cloudflare. The end result is that every request to your site can, and usually will, come from different IP address belonging to cloudflare.

And thats the reason why 'check ip address in cookie' feature does not work properly with cloudflare.  

As I wrote, there are two ways to fix this. You can either disable this check - yes, that will make your store slightly less secure, but if you are using https you should be pretty much fine. Alternative is to retrieve and use real end-user IP address that cloudflare sends in header. You can do this by modifying php code. I personally do this by putting another nginx server in front of my php server, this nginx do this translation automatically.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...