Project

General

Profile

Actions

Defect #10931

open

Session does not stay logged in

Added by Brenden Soares over 12 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

Problem

I constantly have to login even though I choose "stay logged in." If I have multiple tabs open and the session expires they all show a basic auth login dialog which never works. I have to refresh the page to login again and if I do it doesn't work in the other tabs when I refresh them. I have to login yet again. Then once everything is logged in correctly, the session eventually is reset forcing me to login AGAIN. This usually happens after sleeping my laptop over night and getting back to work the next day. I never close the browser.

Recently, I have started using an android tablet, but the issue existed prior as well on one single browser on my laptop. It seems my autologin cookies are being cleared by redmine for whatever reason.

I have the autologin cookie set to expire after 365 days.

Database Version

MySQL 5.5.16

Ruby Version

1.8.7

Rails Versions

2.3.14

Redmine Version

1.3.1.stable

Plugins

CRM plugin http://wwww.redminecrm.com RedmineCRM 2.2.3-light
Redmine Auto Identifier plugin Wade Womersley 0.0.1
Redmine Better Gantt Chart plugin https://github.com/kulesa/redmine_better_gantt_chart Alexey Kuleshov 0.6.1
Redmine Issue Checklist plugin http://redminecrm.com Kirill Bezrukov 1.0.2
Meetings plugin Arnaud Martel 0.1.1
Redmine Closed Date plugin http://github.com/ashton/redmine_closed_date Matheus Ashton Silva 0.0.1
Smart issues sort plugin Vitaly Klimov 0.2.4
Redmine Time Tracker plugin Jérémie Delaitre 0.4
Redmine Version Burndown Charts plugin http://daipresents.com/weblog/fujihalab/archives/2010/02/redmine-version-burndown-charts-plugin-release.php Dai Fujihara 0.0.5
Stuff To Do Plugin https://projects.littlestreamsoftware.com/projects/show/redmine-stuff-to-do Eric Davis 0.4.0
Timesheet Plugin https://projects.littlestreamsoftware.com/projects/redmine-timesheet Eric Davis of Little Stream Software 0.6.0

Actions #1

Updated by Jean-Philippe Lang over 12 years ago

Could you post the exact steps that should be followed to reproduce your issue?

Actions #2

Updated by Iurii Solovei about 11 years ago

Hello.
I have the same problem.
Have any solution over the last year?

Actions #3

Updated by Iurii Solovei about 11 years ago

And now?

Actions #4

Updated by Martin von Wittich about 2 years ago

I've had the same issue, and was able to track it down to a peculiar behaviour in Firefox. We are hosting our Redmine instance on redmine.company.tld, and I noticed that when I enabled the "Stay logged in" checkbox, Firefox would immediately lose the `_redmine_session` cookie after login, and would only keep the `autologin` cookie. Losing the `_redmine_session` cookie caused Redmine's CSRF validation to break because it relies on the session data. Not checking the "Stay logged in" checkbox didn't cause this behaviour, and opening Redmine in an incognito window also circumvented the problem completely.

The reason for this strange Cookie-losing behaviour was that I had visited hundreds of different BigBlueButton subdomains of company.tld in the past few years, which each stored one session cookie per subdomain, which Firefox's session restore feature permanently stored as a part of my session. This had caused Firefox to accumulate ~180 cookies for company.tld in total, which is the per-domain limit. Firefox therefore decided to evict cookies, and for some reason it prefers to evict `Secure: false` cookies first instead of evicting the least recently used cookie. Redmine's `_redmine_session` is `Secure: false`, while the `autologin` cookie is `Secure: true`, and therefore the `_redmine_session` cookie bit the dust.

I've posted the whole story here: https://bugzilla.mozilla.org/show_bug.cgi?id=1698289#c17

TLDR: if you want to figure out if you're affected by the same issue, install the https://addons.mozilla.org/de/firefox/addon/cookie-quick-manager/ extension and search for your domain (e.g. company.tld if your Redmine is hosted on redmine.company.tld). If there are several hundred subdomains listed, or a subdomain with several hundred cookies, clean that up to resolve the issue.

Actions

Also available in: Atom PDF