In order to keep the global configuration option lockIP enabled, it is mandatory to restore the original IP address of the client. Otherwise, (backend) users will lose their sessions once the proxy IP address of Cloudflare changes.
Currently, this does not work as expected for backend sessions using option enableOriginatingIPs=true, as the BackendUserAuthentication uses a cached value of the environment variable $_SERVER['REMOTE_ADDR']. This results in using Cloudflare's proxy IP for the IP lock mechanism.
In order to keep the global configuration option lockIP enabled, it is mandatory to restore the original IP address of the client. Otherwise, (backend) users will lose their sessions once the proxy IP address of Cloudflare changes.
Currently, this does not work as expected for backend sessions using option
enableOriginatingIPs=true, as theBackendUserAuthenticationuses a cached value of the environment variable$_SERVER['REMOTE_ADDR']. This results in using Cloudflare's proxy IP for the IP lock mechanism.