Defect #42969
closed
Autologin not working: token created and cookie set, but session not restored (Redmine 6.0.5)
0%
Description
Description¶
In Redmine 6.0.5, the "Keep me logged in" feature (autologin) does not work as expected.
When a user logs in with the "Keep me logged in" checkbox checked:
- The autologin token is created and stored in the database
- The browser receives a valid
autologincookie with expiration - But Redmine does not restore the session, and redirects back to the login page
This has been confirmed by multiple users in the same environment.
Steps to reproduce¶
- Go to the Redmine login page
- Check the box "Keep me logged in"
- Submit the login form with valid credentials
- Observe that you are returned again to the login screen (or redirected to
/login) - Use developer tools to verify that the browser received an
autologincookie - The user is not authenticated despite the cookie being present
Expected behavior¶
- Redmine should restore the session automatically using the
autologincookie - The user should be redirected to the home page (or last visited page)
Actual behavior¶
- Redmine creates and sets the
autologincookie - But the user is immediately redirected to
/login - The token is not used to restore session
- The cookie remains stored in the browser
- No errors appear in the browser or server logs
Environment¶
- Redmine version: 6.0.5
- Ruby version: 3.2.3 (installed in /opt/rubies/3.2.3)
- Rails version: 7.2.2.1
- Passenger version: 6.0.17
- Apache version: 2.4.58
- MySQL version: 8.0.42
- OS: Ubuntu 22.04.4 LTS
- Installed from source: Yes
- Plugins: none
Configuration¶
config/configuration.yml:
production: autologin_cookie_name: autologin autologin_cookie_path: / autologin_cookie_secure: true
- Autologin setting in UI: 365 days
Evidence¶
Cookie set after login:
Set-Cookie: autologin=8305c80999460c0bf0ba495953f0ae114940477c; path=/; expires=Sat, 04 Jul 2026 08:53:34 GMT; httponly; samesite=lax
Token confirmed in database:
Token.where(user_id: u.id, action: 'autologin').pluck(:value, :created_on) => [["8305c80999460c0bf0ba495953f0ae114940477c", Fri, 04 Jul 2025 08:53:34 UTC]]
Browser keeps the cookie after login, but session is not restored on return.
Let me know if further details or testing help is needed.
Files
Updated by Holger Just about 2 months ago
- Status changed from New to Needs feedback
Some browsers do not accept and/or send all previous cookies with all requests as a measure to reduce possibilities for tracking. Sometimes, this appears to be related to "user activity" on the page which sets the cookie or may be influenced by ad-blocker plugins.
Could you check in your browser tools if your browser does send the autologin cookie for the requests you would expect to cause an automatic login?
Also, could you please clarify how exactly you are triggering the auto login behavior? Generally, Redmine sessions are stored in a session cookie which is deleted by your browser when closing it. If the persisted autologin cookie is present, Redmine can create a new session for you when you visit Redmine with a fresh browser. This automatic login may however not work if you have a current session cookie but the connected session which is expired (due to either inactivity or due to the maximum session lifetime as configured by an admin).
Updated by Pedro Calvo Morcillo about 2 months ago
Hi Holger,
Thanks for your prompt reply.
After deeper analysis, I believe the problem is not in Redmine itself but likely in the browser/client behavior. Here’s a summary of the debugging steps performed:
Server-side behavior¶
- The
autologincookie is correctly generated and stored in the database (Tokenmodel), with appropriate expiration andsecure/httponlyflags. curlrequests using the validautologintoken returnHTTP 200 OKand the correct homepage content:
curl -I -L -k https://udlinux01.uria.com/ --cookie "autologin=<valid_token>"
→ Session is restored successfully from the server's point of view.
⚠ Browser-side behavior¶
- Despite the
autologincookie being present and valid in Chrome and Edge (tested on multiple profiles and in Incognito mode), Redmine redirects back to/loginwith no error shown. - No
SecureorSameSiterestrictions appear to block the cookie. - The server certificate is fully trusted and marked as valid.
- We’ve tested on different machines and cleaned all cookies, but the issue persists.
Environment context¶
- This instance was migrated from a previous Redmine setup that used HTTP, while the new one uses HTTPS with HSTS.
- We suspect Chrome may be enforcing additional rules due to this protocol change and legacy cookies from the old HTTP setup.
Conclusion¶
Everything suggests that Redmine’s autologin mechanism is working as expected.
The issue seems to be caused by browser behavior (possibly stale session state or interaction with HSTS/SameSite policies), not by a bug in Redmine itself.
Let me know if there are any additional debug flags or logs you’d like me to check.
Thanks again,
Pedro
Updated by Anton Em about 1 month ago
I seem to be experiencing the exact same issue on two separate Debian 12 VMs - one sandbox and one production environment (both running Redmine in production mode). The problem started after upgrading Redmine from version 4.x to 6.0.6 and is consistently reproducible across Chrome, Edge, and Firefox on different machines and networks.
Environment: Redmine version 6.0.6.stable Ruby version 3.1.2-p20 (2022-04-12) [x86_64-linux-gnu] Rails version 7.2.2.1 Environment production Database adapter Mysql2 Mailer queue ActiveJob::QueueAdapters::AsyncAdapter Mailer delivery smtp Redmine settings: Redmine theme Default SCM: Git 2.39.5 Filesystem Redmine plugins: easy_baseline 3.0 easy_gantt 3.0 easy_gantt_pro 3.0 redmine_ckeditor 1.2.7 remove_menu_items 0.0.1
@Petro: Have you found a solution?
Updated by Anton Em about 1 month ago
For testing purpose I set up a fresh Debian 12 VM from scratch with a vanilla redmine 6.0.6 and got the same issue there. It seems to me there is a defect?
Environment: Redmine version 6.0.6.stable Ruby version 3.1.2-p20 (2022-04-12) [x86_64-linux-gnu] Rails version 7.2.2.1 Environment production Database adapter Mysql2 Mailer queue ActiveJob::QueueAdapters::AsyncAdapter Mailer delivery smtp Redmine settings: Redmine theme Default SCM: Git 2.39.5 Filesystem Redmine plugins: no plugin installed
Updated by Marius BĂLTEANU about 1 month ago
Do you have any proxy server in front of the Redmine webserver which I suppose to be Puma?
Updated by Anton Em about 1 month ago
Firewall yes (open for http+s, ssh), no proxy.
Updated by Anton Em about 1 month ago
- File 2025-07-24 20_21_50-Shell Handwriting Canvas.png 2025-07-24 20_21_50-Shell Handwriting Canvas.png added
Hm I'm absolutly no expert so maybe this is rubbish, but upon checking the cookies to compare them to Pedros I stumbled accross strange cooking name - cmp. screenshot.
If I reload the browser, nothing happens.
If I manually change the cooking name to "autologin" by removing the [" and reload afterwords, I'm logged in!
Updated by Marius BĂLTEANU about 1 month ago
Can you look in config/configuration.yml after section:
# Configuration of the autologin cookie. # autologin_cookie_name: the name of the cookie (default: autologin) # autologin_cookie_path: the cookie path (default: /) # autologin_cookie_secure: true sets the cookie secure flag (default: false) autologin_cookie_name: autologin_cookie_path: autologin_cookie_secure:
and tell us how it looks in your case? Please double check in the configuration file to not have multiple autologin_cookie_name keys. Also, ensure that you don't post confidential data here from your configuration file.
Updated by Anton Em about 1 month ago
standard configuration.yml - removed comments:
default: email_delivery: attachments_storage_path: autologin_cookie_name: autologin autologin_cookie_path: / autologin_cookie_secure: true scm_subversion_command: scm_mercurial_command: scm_git_command: scm_cvs_command: scm_bazaar_command: scm_subversion_path_regexp: scm_mercurial_path_regexp: scm_git_path_regexp: scm_cvs_path_regexp: scm_bazaar_path_regexp: scm_filesystem_path_regexp: scm_stderr_log_file: database_cipher_key: minimagick_font_path: production: development:
Updated by Pedro Calvo Morcillo about 1 month ago
Hi all,
We have just confirmed the root cause: Redmine is sending the autologin cookie inside a JSON array, which makes it unusable by browsers.
Evidence¶
In the response headers, the Set-Cookie field is malformed:
Set-Cookie: ["autologin=824042b9bab3e9c4409787f1d8ab77c06e02b99e; path=/; expires=Tue, 28 Jul 2026 08:28:43 GMT; secure; httponly; samesite=lax"]
Expected behavior (correct format):
Set-Cookie: autologin=824042b9bab3e9c4409787f1d8ab77c06e02b99e; path=/; expires=Tue, 28 Jul 2026 08:28:43 GMT; secure; httponly; samesite=lax
This small difference causes the browser to ignore the autologin cookie entirely. However, the session token is successfully created in the database (confirmed via Rails console):
Token.where(user_id: u.id, action: 'autologin').pluck(:value, :created_on)
Manually editing the cookie name to remove the surrounding brackets (as Anton described) confirms the problem and proves that the mechanism would work if the cookie were delivered properly.
Summary¶
This is not a client issue. It is a bug in the Redmine code that generates the Set-Cookie header for autologin.
Let us know if further testing is needed.
Updated by Marius BĂLTEANU about 1 month ago
Thanks for the new findings, I will take a look. My assumption is that Rails changed the default value of cookies_serializer in Rails 7.
Can you do a test with the following line in config/additional_environment.rb:
Rails.application.config.action_dispatch.cookies_serializer = :marshal
Updated by Anton Em about 1 month ago
Marius BĂLTEANU wrote in #note-11:
Can you do a test with the following line in
config/additional_environment.rb:
[...]
Just tried... it didn't make any difference in my setup.
Updated by Kenta Kumojima about 1 month ago
I encountered the same problem.
Environment
Redmine version: 6.0.5
Ruby version: 3.2.3 (installed in /opt/rubies/3.2.3)
Rails version: 7.2.2.1
Passenger version: 6.0.17
It turned out to be a problem caused by the combination of Rails7 (rack 3) and an old version of Passenger.
I solved it by upgrading Passenger.
https://github.com/phusion/passenger/issues/2503
https://github.com/phusion/passenger/blob/stable-6.1/CHANGELOG#L190
Updated by Anton Em about 1 month ago
Yes, that worked! I updated Passenger to version 6.0.27 and the problem disappeared!
Thanks, Kenta!
Updated by Marius BĂLTEANU about 1 month ago
Pedro Calvo Morcillo, can you confirm the fix on your side as well, please?
Updated by 
Updated by Holger Just 25 days ago
- Status changed from Needs feedback to Closed
- Resolution set to Fixed
Thank you for your feedback. Updating Passenger seems to resolve this issue.