Defect #10931
openSession does not stay logged in
0%
Description
Problem¶
I constantly have to login even though I choose "stay logged in." If I have multiple tabs open and the session expires they all show a basic auth login dialog which never works. I have to refresh the page to login again and if I do it doesn't work in the other tabs when I refresh them. I have to login yet again. Then once everything is logged in correctly, the session eventually is reset forcing me to login AGAIN. This usually happens after sleeping my laptop over night and getting back to work the next day. I never close the browser.
Recently, I have started using an android tablet, but the issue existed prior as well on one single browser on my laptop. It seems my autologin cookies are being cleared by redmine for whatever reason.
I have the autologin cookie set to expire after 365 days.
Database Version¶
MySQL 5.5.16
Ruby Version¶
1.8.7
Rails Versions¶
2.3.14
Redmine Version¶
1.3.1.stable
Plugins¶
CRM plugin http://wwww.redminecrm.com RedmineCRM 2.2.3-light
Redmine Auto Identifier plugin Wade Womersley 0.0.1
Redmine Better Gantt Chart plugin https://github.com/kulesa/redmine_better_gantt_chart Alexey Kuleshov 0.6.1
Redmine Issue Checklist plugin http://redminecrm.com Kirill Bezrukov 1.0.2
Meetings plugin Arnaud Martel 0.1.1
Redmine Closed Date plugin http://github.com/ashton/redmine_closed_date Matheus Ashton Silva 0.0.1
Smart issues sort plugin Vitaly Klimov 0.2.4
Redmine Time Tracker plugin Jérémie Delaitre 0.4
Redmine Version Burndown Charts plugin http://daipresents.com/weblog/fujihalab/archives/2010/02/redmine-version-burndown-charts-plugin-release.php Dai Fujihara 0.0.5
Stuff To Do Plugin https://projects.littlestreamsoftware.com/projects/show/redmine-stuff-to-do Eric Davis 0.4.0
Timesheet Plugin https://projects.littlestreamsoftware.com/projects/redmine-timesheet Eric Davis of Little Stream Software 0.6.0
Updated by Jean-Philippe Lang over 12 years ago
Could you post the exact steps that should be followed to reproduce your issue?
Updated by Iurii Solovei about 11 years ago
Hello.
I have the same problem.
Have any solution over the last year?
Updated by Martin von Wittich about 2 years ago
I've had the same issue, and was able to track it down to a peculiar behaviour in Firefox. We are hosting our Redmine instance on redmine.company.tld, and I noticed that when I enabled the "Stay logged in" checkbox, Firefox would immediately lose the `_redmine_session` cookie after login, and would only keep the `autologin` cookie. Losing the `_redmine_session` cookie caused Redmine's CSRF validation to break because it relies on the session data. Not checking the "Stay logged in" checkbox didn't cause this behaviour, and opening Redmine in an incognito window also circumvented the problem completely.
The reason for this strange Cookie-losing behaviour was that I had visited hundreds of different BigBlueButton subdomains of company.tld in the past few years, which each stored one session cookie per subdomain, which Firefox's session restore feature permanently stored as a part of my session. This had caused Firefox to accumulate ~180 cookies for company.tld in total, which is the per-domain limit. Firefox therefore decided to evict cookies, and for some reason it prefers to evict `Secure: false` cookies first instead of evicting the least recently used cookie. Redmine's `_redmine_session` is `Secure: false`, while the `autologin` cookie is `Secure: true`, and therefore the `_redmine_session` cookie bit the dust.
I've posted the whole story here: https://bugzilla.mozilla.org/show_bug.cgi?id=1698289#c17
TLDR: if you want to figure out if you're affected by the same issue, install the https://addons.mozilla.org/de/firefox/addon/cookie-quick-manager/ extension and search for your domain (e.g. company.tld if your Redmine is hosted on redmine.company.tld). If there are several hundred subdomains listed, or a subdomain with several hundred cookies, clean that up to resolve the issue.