If your Gyroscope project is running behind a CloudFlare proxy, there is an important setting in lb.php to switch on:
$stablecf=0; //set to 1 when behind CloudFlare
Change the above line to:
$stablecf=1; //set to 1 when behind CloudFlare
Not setting the switch correctly could result in unexpected sign-out of users or failure to log in in the first place.
The most common symptom is when doing a full refresh, (Ctrl+F5 on Windows, Command+R on a Mac), the currently signed-in user is logged out.
Also on non-keep alive browsers (e-readers, some start TVs, vessel-mount terminals, etc.), the login screen appears to "expire".
The root cause of this issue is that the CloudFlare proxy uses a random IP address to connect to the actual server. Gyroscope recognizes the original IP address, or the "end client" IP, but it also uses the CloudFlare's address, or the "interface IP" to verify the user's identity.
By default, "stablecf" is set to be off. This allows Gyroscope to detect any IP spoofing attempts. A malicious user could claim any end client IP through a forwarding header. But the interface IP cannot be modified, so the impersonation would be prevented.
CloudFlare maintains IP stability for keep-alive browsers. However, when a full refresh is issued to a browser, a previous connection is dropped. CloudFlare also uses a different interface IP during a full browser refresh.
Some browsers do not have keep-alive or connection pooling at all. For example, each request sent from the Kindle Paper White (KPW) browser is "fresh". This means that, without stabilizing interface IP, a user would have trouble logging in.
It is safe to switch on "stablecf" when the server is behind CloudFlare or any other trusted reverse proxy. Some firewall or load balancing services do not randomize IP addresses; in such cases "stablecf" should be left off.