When I attempt to log in to AMP from a device that was just logged in but using a different IP address I get a Token Rejected error even though I have Require Session IP Stickiness disabled in ADS. The audit log has the following entry: “Authentication failure from xx.xx.xx.xx - Token was locked to a different IP than the one you are connecting from.” I may use multiple devices with different IP addresses to manage AMP daily and consistently getting logged out is quite annoying. Is this intended behaviour? Can this be fixed somehow? Thanks!
Reproduction Steps
Disable ‘Require Session IP Stickiness’ in ADS
Attempt to log in with a device that was just logged in to AMP from a different IP address.
Yeah, I do. This started happening after I finally set up proper proxy configuration by forwarding the real user IP to amp and not just have the proxy ip. This seems to work fine, so im not really sure why disabling IP stickiness is not working, maybe it’s just broken for me? Or maybe I configured something wrong.
Did everything by that guide but nothing… If it helps at all, looking at the active sessions list in ADS the old sessions are not closed, so I just have a long list of sessions all with the same IP’s.
Session IDs are cleared when the ADS restarts, but Remember Me Tokens are not, so it could be some of those (and from memory, users are limited to 20 of each).
Session IDs by default expire after 5min of inactivity, so browsers that put tabs to sleep tend to cause issues.
Been poking around for a while now, still can’t figure it out. Tried both Firefox and Chrome. Tested every single setting somewhat related to proxy configuration. Even went as far as to make a whole new ADS instance that I set up as a controller in the same lxc container as nginx. I ruled out Cloudflare (set proxying off, dns only) and my NPM instance (made a fresh nginx container and went exactly by the https setup guide).
I will come back to this, have more important stuff to focus on. In the mean time I’ll just go back to not forwarding ip’s at all.