Kcfinder image loader is blocked but nothing in logs

Hi,
when we pause Cloudflare (CF) application works fine.
When it is on it produces error but it is not logged anywhere on CF.
I have disabled DDOS rules, page rules, managed rules, WAF IP rules, CF in developer mode but no change.
What else I can check but most importantly how could those access attempts get logged?

Thank you

Faced the same issue and spent two days to figure what actually happening. My first idea was that I faced a problem mentioned here:

So as the first attempt to solved I tried to add a “Lazy loading images” to KCFinder (and succeed). Unfortunately it does not helped. So I continued my investigations and finally found a reason. In a core/class/uploader.php file you can find a following fragment:

// SECURING THE SESSION
$stamp = array(
    'ip' => $_SERVER['REMOTE_ADDR'],
    'agent' => md5($_SERVER['HTTP_USER_AGENT'])
);

However when a user accessing your site through CF, different requests can have different remote addresses, which is breaking KCFinder session. So to fix it you can change the 'ip' => $_SERVER['REMOTE_ADDR'], string making 'ip' some unique sting through the user session (for myself I used an auth cookie value).

Good catch.

If the server is set up properly to account for this, it shouldn’t be a problem:

Thanks! This is definitely the best approach to this problem! Thank you!

1 Like