Login is not persistent, reload is enough to get logged out #413

New Issue

MrUnknownDE · 2026-04-05T21:11:43+02:00

MrUnknownDE commented

2026-04-05 21:11:43 +02:00

Originally created by @lukasreinert on 8/11/2025

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.34.3
Web-vault version: v2025.7.0
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: SQLite
Database version: 3.50.2
Uses config.json: true
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
TZ environment: Europe/Berlin
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: false
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": true,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "***://***",
  "domain_origin": "***://***",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": true,
  "email_2fa_enforce_on_verified_invite": true,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "DHC",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": false,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": true,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "***,***,***",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***",
  "smtp_from_name": "***",
  "smtp_host": "***",
  "smtp_password": "***",
  "smtp_port": ***,
  "smtp_security": "***",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3

Deployment method

Official Container Image

Custom deployment method

Docker compose file (run via portainer as stack):

version: '3.8'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - ADMIN_TOKEN=${ADMIN_TOKEN}
      - TZ=${TZ}
    ports:
      - "8080:80"
      - "3012:3012"
    volumes:
      - vaultwarden_data:/data

volumes:
  vaultwarden_data:

Reverse Proxy

nginx/1.24.0 (Ubuntu)

Host/Server Operating System

Linux

Operating System Version

Windows 10, Windows 11 on which then the browser is running

Clients

Web Vault

Client Version

Brave 1.81.131 (Official Build) (64-bit) Chromium: 139.0.7258.66, Firefox 141.0.3 (64-bit)

Steps To Reproduce

Go to the website of the self-hosted instance
Login as usual (Enter Username/Email, Password, 2FA)
If now the page is reloaded, by refreshing the page (CTRL+R) the user gets logged out and need to enter its password again
If now the page is reloaded, by visiting a link to a collection for example in a new tab, the user gets logged out and need to enter its username/email and password again
Just working in the same tab, i.e. clicking between "Vaults", "Send", "Tools" etc works perfectly fine without a logout. Same for switching between "Password Manager" and "Admin Console" as well as for pasting a link to a collection and hitting enter in the address bar of the browser

Once the page is refreshed / gets reloaded, the user is immediately logged out and need to sign in again
Please note: I tried also different values for Timeout, here are my preferences:
EDIT: Also setting it to any number of minutes, then deleteing all cookies of that site and logging back in is not resolving the issue.

I experience the same issue on another VW server I host but with basically same setup: Nginx reverse proxy, same docker image

Expected Result

I expect that reloading the page does not require a new authentication (Username/Email, Password prompt) as long the the timeout in preferences has not yet been reached. However, I experience this issue immediately after new login.

Actual Result

Reloading the page logs the user out of its session and the user must at least provide its password again, sometimes also its username/email and password.

Logs

[2025-08-11 17:07:41.984][request][INFO] GET /api/accounts/profile
[2025-08-11 17:07:41.990][response][INFO] (profile) GET /api/accounts/profile => 200 OK
[2025-08-11 17:07:41.995][request][INFO] GET /api/accounts/profile
[2025-08-11 17:07:41.997][response][INFO] (profile) GET /api/accounts/profile => 200 OK
[2025-08-11 17:07:45.347][request][INFO] POST /identity/connect/token
[2025-08-11 17:07:45.348][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2025-08-11 17:07:45.350][response][INFO] (web_files) GET /<p..> [10] => 404 Not Found
[2025-08-11 17:07:45.354][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-08-11 17:07:45.368][request][INFO] GET /api/sync?excludeDomains=true
[2025-08-11 17:07:45.382][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2025-08-11 17:07:45.568][request][INFO] GET /api/accounts/revision-date
[2025-08-11 17:07:45.570][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK

Screenshots or Videos

No response

Additional Context

No response

*Originally created by @lukasreinert on 8/11/2025* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3 * Web-vault version: v2025.7.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * TZ environment: Europe/Berlin * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: false * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": true, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "***://***", "domain_origin": "***://***", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": true, "email_2fa_enforce_on_verified_invite": true, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "DHC", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": false, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": true, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "***,***,***", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***", "smtp_from_name": "***", "smtp_host": "***", "smtp_password": "***", "smtp_port": ***, "smtp_security": "***", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "***", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.34.3 ### Deployment method Official Container Image ### Custom deployment method Docker compose file (run via portainer as stack): ``` version: '3.8' services: vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden restart: unless-stopped environment: - ADMIN_TOKEN=${ADMIN_TOKEN} - TZ=${TZ} ports: - "8080:80" - "3012:3012" volumes: - vaultwarden_data:/data volumes: vaultwarden_data: ``` ### Reverse Proxy nginx/1.24.0 (Ubuntu) ### Host/Server Operating System Linux ### Operating System Version Windows 10, Windows 11 on which then the browser is running ### Clients Web Vault ### Client Version Brave 1.81.131 (Official Build) (64-bit) Chromium: 139.0.7258.66, Firefox 141.0.3 (64-bit) ### Steps To Reproduce 1. Go to the website of the self-hosted instance 2. Login as usual (Enter Username/Email, Password, 2FA) 3. 4. If now the page is reloaded, by refreshing the page (CTRL+R) the user gets logged out and need to enter its password again 5. If now the page is reloaded, by visiting a link to a collection for example in a new tab, the user gets logged out and need to enter its username/email and password again 6. Just working in the same tab, i.e. clicking between "Vaults", "Send", "Tools" etc works perfectly fine without a logout. Same for switching between "Password Manager" and "Admin Console" as well as for pasting a link to a collection and hitting enter in the address bar of the browser Once the page is refreshed / gets reloaded, the user is immediately logged out and need to sign in again Please note: I tried also different values for Timeout, here are my preferences: EDIT: Also setting it to any number of minutes, then deleteing all cookies of that site and logging back in is not resolving the issue. <img width="366" height="415" alt="Image" src="https://github.com/user-attachments/assets/5bb6f60d-5995-4cfb-98b5-9a8073018520" /> I experience the same issue on another VW server I host but with basically same setup: Nginx reverse proxy, same docker image ### Expected Result I expect that reloading the page does not require a new authentication (Username/Email, Password prompt) as long the the timeout in preferences has not yet been reached. However, I experience this issue immediately after new login. ### Actual Result Reloading the page logs the user out of its session and the user must at least provide its password again, sometimes also its username/email and password. ### Logs ```text [2025-08-11 17:07:41.984][request][INFO] GET /api/accounts/profile [2025-08-11 17:07:41.990][response][INFO] (profile) GET /api/accounts/profile => 200 OK [2025-08-11 17:07:41.995][request][INFO] GET /api/accounts/profile [2025-08-11 17:07:41.997][response][INFO] (profile) GET /api/accounts/profile => 200 OK [2025-08-11 17:07:45.347][request][INFO] POST /identity/connect/token [2025-08-11 17:07:45.348][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL [2025-08-11 17:07:45.350][response][INFO] (web_files) GET /<p..> [10] => 404 Not Found [2025-08-11 17:07:45.354][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-08-11 17:07:45.368][request][INFO] GET /api/sync?excludeDomains=true [2025-08-11 17:07:45.382][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-08-11 17:07:45.568][request][INFO] GET /api/accounts/revision-date [2025-08-11 17:07:45.570][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_

MrUnknownDE closed this issue

2026-04-05 21:11:43 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#413