PrivX web UI keeps logging me out

If you're running PrivX in HA environment, with a load balancer in front of PrivX, please check the values of following settings.

In /opt/privx/etc/oauth-shared-config.toml:

[privx-ui]

use_cookies = true
use_fingerprint = true

The above values enable device fingerprinting and http-only cookies for PrivX. If client's IP keeps on changing or PrivX detects user's IP incorrectly, the cookies will expire and user will be kicked out.
You can either set these values to false or try to fix the issue by checking that user's IP is resolved correctly.

See /opt/privx/etc/shared-config.toml:

[restapi]

# Which X-Forwarded-For IP address to use, when resolving client IP.
# Counted from the end to the beginning.
# i.e. with the following example: X-Forwarded-For: faked-ip.com, webproxy.ip, 123.11.12.3, elb-ip
# using value 1 would pick the second item from the end, which would be 123.11.12.3
# If not using load balancers, use the value 0
# Used for resolving client IP for role IP restrictions and login rate limiter.
# Does not affect to SSH-MITM and RDP-MITM IP restrictions.
# If role IP restrictions are not used, this setting is ignored.
# Default value 0 = use the last IP address in the provided X-Forwarded-For header
strip_how_many_x_forwarded_for_client_ips = 1

The "strip_how_many_x_forwarded_for_client_ips" attribute is used for determining user's IP address from X-Forwarded-For header. If running a web load balancer in front of PrivX installation, which adds its own IP address to the header, this value should be changed to 1. Please check your audit events to see if user's IP address looks correct.


Did this page help you?