Project

General

Profile

Actions
Copy link

Defect #42969

open

Autologin not working: token created and cookie set, but session not restored (Redmine 6.0.5)

Added by Pedro Calvo Morcillo about 4 hours ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:
6.0.5

Description

Description

In Redmine 6.0.5, the "Keep me logged in" feature (autologin) does not work as expected.

When a user logs in with the "Keep me logged in" checkbox checked:

  • The autologin token is created and stored in the database
  • The browser receives a valid autologin cookie with expiration
  • But Redmine does not restore the session, and redirects back to the login page

This has been confirmed by multiple users in the same environment.

Steps to reproduce

  1. Go to the Redmine login page
  2. Check the box "Keep me logged in"
  3. Submit the login form with valid credentials
  4. Observe that you are returned again to the login screen (or redirected to /login)
  5. Use developer tools to verify that the browser received an autologin cookie
  6. The user is not authenticated despite the cookie being present

Expected behavior

  • Redmine should restore the session automatically using the autologin cookie
  • The user should be redirected to the home page (or last visited page)

Actual behavior

  • Redmine creates and sets the autologin cookie
  • But the user is immediately redirected to /login
  • The token is not used to restore session
  • The cookie remains stored in the browser
  • No errors appear in the browser or server logs

Environment

  • Redmine version: 6.0.5
  • Ruby version: 3.2.3 (installed in /opt/rubies/3.2.3)
  • Rails version: 7.2.2.1
  • Passenger version: 6.0.17
  • Apache version: 2.4.58
  • MySQL version: 8.0.42
  • OS: Ubuntu 22.04.4 LTS
  • Installed from source: Yes
  • Plugins: none

Configuration

  • config/configuration.yml:
production:
  autologin_cookie_name: autologin
  autologin_cookie_path: /
  autologin_cookie_secure: true
  • Autologin setting in UI: 365 days

Evidence

Cookie set after login:

Set-Cookie: autologin=8305c80999460c0bf0ba495953f0ae114940477c; path=/; expires=Sat, 04 Jul 2026 08:53:34 GMT; httponly; samesite=lax

Token confirmed in database:

Token.where(user_id: u.id, action: 'autologin').pluck(:value, :created_on)
=> [["8305c80999460c0bf0ba495953f0ae114940477c", Fri, 04 Jul 2025 08:53:34 UTC]]

Browser keeps the cookie after login, but session is not restored on return.

Let me know if further details or testing help is needed.

No data to display

Actions
Copy link

Also available in: Atom PDF