Defect #10931


Session does not stay logged in

Added by Brenden Soares about 12 years ago. Updated over 1 year ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected version:



I constantly have to login even though I choose "stay logged in." If I have multiple tabs open and the session expires they all show a basic auth login dialog which never works. I have to refresh the page to login again and if I do it doesn't work in the other tabs when I refresh them. I have to login yet again. Then once everything is logged in correctly, the session eventually is reset forcing me to login AGAIN. This usually happens after sleeping my laptop over night and getting back to work the next day. I never close the browser.

Recently, I have started using an android tablet, but the issue existed prior as well on one single browser on my laptop. It seems my autologin cookies are being cleared by redmine for whatever reason.

I have the autologin cookie set to expire after 365 days.

Database Version

MySQL 5.5.16

Ruby Version


Rails Versions


Redmine Version



CRM plugin RedmineCRM 2.2.3-light
Redmine Auto Identifier plugin Wade Womersley 0.0.1
Redmine Better Gantt Chart plugin Alexey Kuleshov 0.6.1
Redmine Issue Checklist plugin Kirill Bezrukov 1.0.2
Meetings plugin Arnaud Martel 0.1.1
Redmine Closed Date plugin Matheus Ashton Silva 0.0.1
Smart issues sort plugin Vitaly Klimov 0.2.4
Redmine Time Tracker plugin Jérémie Delaitre 0.4
Redmine Version Burndown Charts plugin Dai Fujihara 0.0.5
Stuff To Do Plugin Eric Davis 0.4.0
Timesheet Plugin Eric Davis of Little Stream Software 0.6.0

Actions #1

Updated by Jean-Philippe Lang about 12 years ago

Could you post the exact steps that should be followed to reproduce your issue?

Actions #2

Updated by Iurii Solovei over 10 years ago

I have the same problem.
Have any solution over the last year?

Actions #3

Updated by Iurii Solovei over 10 years ago

And now?

Actions #4

Updated by Martin von Wittich over 1 year ago

I've had the same issue, and was able to track it down to a peculiar behaviour in Firefox. We are hosting our Redmine instance on, and I noticed that when I enabled the "Stay logged in" checkbox, Firefox would immediately lose the `_redmine_session` cookie after login, and would only keep the `autologin` cookie. Losing the `_redmine_session` cookie caused Redmine's CSRF validation to break because it relies on the session data. Not checking the "Stay logged in" checkbox didn't cause this behaviour, and opening Redmine in an incognito window also circumvented the problem completely.

The reason for this strange Cookie-losing behaviour was that I had visited hundreds of different BigBlueButton subdomains of company.tld in the past few years, which each stored one session cookie per subdomain, which Firefox's session restore feature permanently stored as a part of my session. This had caused Firefox to accumulate ~180 cookies for company.tld in total, which is the per-domain limit. Firefox therefore decided to evict cookies, and for some reason it prefers to evict `Secure: false` cookies first instead of evicting the least recently used cookie. Redmine's `_redmine_session` is `Secure: false`, while the `autologin` cookie is `Secure: true`, and therefore the `_redmine_session` cookie bit the dust.

I've posted the whole story here:

TLDR: if you want to figure out if you're affected by the same issue, install the extension and search for your domain (e.g. company.tld if your Redmine is hosted on If there are several hundred subdomains listed, or a subdomain with several hundred cookies, clean that up to resolve the issue.


Also available in: Atom PDF