Backend Constantly Logged Out (v1.7.4.2) with CF

[TinyStore]

I installed PS 1.7.4.2 and kept getting logged out of the backend with CF enabled.  Weird.

[ksaan]

What is CF ?

[TinyStore]

Sorry, Cloudflare.

[Knowband Plugins]

Hi,

Yes, you will face this issue with cloudflare. You need to disable cookie check on the IP.

To achieve the same go to Admin -> Advanced Parameters -> Administration & set Check the cookie's IP address to No.

Hope it will help.

[TinyStore]

That does, thank you.

I like this security feature.

[Guest]

You might be interested in this article: https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx-

[TinyStore]

Thanks.  I had been being to get CF working but wasn't sure how to do it.

 

I ended up following these steps since I have Centos 6 and cPanel:

http://www.yogsays.com/install-easyapache-4-cloudflare-module-cpanel/

[Guest]

Honestly I would avoid any easy Apache modules unless absolutely necessary and just use HTTP headers instead. All these plugins decrease the overall stability if your system.

[Neale]

Ran in to this error only way to solve for me was in myphpadmin

Runing Appache on Ubuntu at Digital Ocean with Cloudflare 

Find Table: ps_configuration  > search under Name > PS_COOKIE_CHECKIP Change from 1 to 0 

Could not do in admin, period

[DouglasB16]

Hello Neale, I am having this same problem, but there isnt a Prefix_COOKIE_CHECKIP option in my prefix_configuration filemanager. Can you please help

[Nickz]

14 hours ago, DouglasB16 said:

but there isnt a Prefix_COOKIE_CHECKIP option in my prefix_configuration filemanager.

He said in phpmyadmin. That is the interface that lets you work in your database, caution act with care. Export the database first.

[DouglasB16]

Yes Neale, that is what baffles me because when I do get a quick second logged into back office I am able to see all the options to disable but I get kicked out when I try to turn them off. 
 

I am unsure if files can be hidden within PhpMyAdmin database?.. prestashop was installed via 1-click installation through my godaddy cpanel. 
 

is there a option I could send you something to see what I am dealing with to give you a better view maybe you can see something that I may be missing.

[Nickz]

4 hours ago, DouglasB16 said:

I am unsure if files can be hidden within PhpMyAdmin database?.. prestashop was installed via 1-click installation through my godaddy cpanel.

All data is stored in the database, that is how most CMS and shops work.

[DouglasB16]

44 minutes ago, Nickz said:

All data is stored in the database, that is how most CMS and shops work.

These are all the rows of my ps_configuration table. Can someone please allow me 30 mins of your time and I can provide snapshots of different files that can help you to have a better understanding of what I may be or have done wrong. The only thing I have done was add cloudflare ssl to my godaddy webhost. I have done nothing database wise within presatshop file. Another thing is, I installed prestashop through webhost cpanel and that is where I am left.

[Xenobier]

On 5/23/2021 at 10:57 PM, DouglasB16 said:

These are all the rows of my ps_configuration table. Can someone please allow me 30 mins of your time and I can provide snapshots of different files that can help you to have a better understanding of what I may be or have done wrong. The only thing I have done was add cloudflare ssl to my godaddy webhost. I have done nothing database wise within presatshop file. Another thing is, I installed prestashop through webhost cpanel and that is where I am left.

I faced a similar problem, and perhaps this could assist someone in the future:
1. Go to phpMyAdmin
2. Click on your PrestaShop database in the left column
3. You'll see a list of tables, click on ps_configuration
4. Scroll down to the bottom of the page
5. Find the option labeled "Number of rows" and set it to "500"
6. Go back to the top
7. Look for the "Filter row" section
8. In the "Filter row," type "PS_COOKIE_CHECKIP"
9. Click on "Edit"
10. In the "value" tab, change the number from "1" to "0"

[tomidjx]

On 8/18/2018 at 10:15 AM, Knowband Plugins said:

Hi,

Yes, you will face this issue with cloudflare. You need to disable cookie check on the IP.

To achieve the same go to Admin -> Advanced Parameters -> Administration & set Check the cookie's IP address to No.

Hope it will help.

Excellent..that did it for me.

[Driss Raiss]

On 8/18/2018 at 9:15 AM, Knowband Plugins said:

Hi,

Yes, you will face this issue with cloudflare. You need to disable cookie check on the IP.

To achieve the same go to Admin -> Advanced Parameters -> Administration & set Check the cookie's IP address to No.

Hope it will help.

Thanks bro it's work 🌷

[Jesus Suarez]

Many users have asked how to solve the constant Back Office logout problem in PrestaShop when Cloudflare is enabled.
The only commonly suggested solution is to disable “Check the cookie’s IP address” in the PrestaShop administration panel, which is quite absurd to be the “best” option, since it weakens an existing security mechanism.

Because of this, I decided to investigate an alternative and more correct solution that allows keeping IP validation enabled.

The root of the problem: 

PrestaShop relies on the REMOTE_ADDR variable to validate the user IP stored in the session cookie.

When Cloudflare is enabled, REMOTE_ADDR does not contain the real client IP. Instead, it contains a dynamic Cloudflare proxy IP, which can change every few minutes.

Each time this IP changes, PrestaShop detects a mismatch between the stored cookie IP and the current request IP, and automatically logs the user out.

Cloudflare does send the real visitor IP via the following header: CF-Connecting-IP

However, PrestaShop does not use this header by default.

The solution: 

The solution is to override REMOTE_ADDR before PrestaShop initializes, forcing it to use the real client IP provided by Cloudflare instead of the proxy IP.

Where to place the code

Edit the following file:

config/config.inc.php

Place the code as early as possible, preferably right after the _PS_DEBUG_PROFILING_ check (line 84), before PrestaShop loads sessions and cookies.

// Force real client IP when behind Cloudflare or reverse proxies

if (!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) {
    // Cloudflare
    $_SERVER['HTTP_X_FORWARDED_FOR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];

} elseif (!empty($_SERVER['HTTP_X_REAL_IP'])) {
    // Other reverse proxies
    $_SERVER['HTTP_X_FORWARDED_FOR'] = $_SERVER['HTTP_X_REAL_IP'];
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];

} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    // Load balancers or proxies with multiple IPs
    $ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
    $_SERVER['REMOTE_ADDR'] = trim($ips[0]);
}

 

What this code does: 

• Detects if the request is coming through Cloudflare
• Extracts the real client IP from CF-Connecting-IP
• Overrides REMOTE_ADDR with the real IP
• Ensures PrestaShop validates sessions using the correct client IP
• Prevents random Back Office logouts
• Allows keeping cookie IP verification enabled
• In short, it forces PrestaShop to use the real visitor IP instead of Cloudflare’s rotating proxy IPs.

Final result: 

• Back Office sessions remain stable
• IP verification can stay enabled
• Fully compatible with Cloudflare and other proxies
• No need to disable PrestaShop security features