Support "Remember Me" functionality across mulitple devices for a single user #2439

New Issue

OVERLORD · 2026-02-05T04:08:18+03:00

OVERLORD commented

2026-02-05 04:08:18 +03:00

Originally created by @ljlapierre on GitHub (Oct 17, 2021).

Describe the bug
When 2FA was first enabled I turned it on, but it seems to have broken the Remember Me functionality. I use Bookstack to take notes on a fairly regular basis from my phone and desktop, and decided I'd sooner have automatic login over 2FA. I disabled 2FA on my account, but Remember Me does not work.

Steps To Reproduce
Steps to reproduce the behavior:

Enable 2FA for your user
Log in using Remember Me
Disable 2FA for your user
Log in using Remember Me

Expected behavior
My next bookstack session should have me automatically logged in

Your Configuration (please complete the following information):

Exact BookStack Version (Found in settings): 21.08.5
PHP Version: 7.4
Hosting Method (Nginx/Apache/Docker): Apache

Originally created by @ljlapierre on GitHub (Oct 17, 2021). **Describe the bug** When 2FA was first enabled I turned it on, but it seems to have broken the Remember Me functionality. I use Bookstack to take notes on a fairly regular basis from my phone and desktop, and decided I'd sooner have automatic login over 2FA. I disabled 2FA on my account, but Remember Me does not work. **Steps To Reproduce** Steps to reproduce the behavior: 1. Enable 2FA for your user 2. Log in using Remember Me 3. Disable 2FA for your user 4. Log in using Remember Me **Expected behavior** My next bookstack session should have me automatically logged in **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): 21.08.5 - PHP Version: 7.4 - Hosting Method (Nginx/Apache/Docker): Apache

OVERLORD added the 🔨 Feature Request label 2026-02-05 04:08:18 +03:00

OVERLORD commented

2026-02-05 04:08:25 +03:00

@Bolthier commented on GitHub (Oct 18, 2021):

I have the same issue after updating without ever enabling 2FA.

I wasn't sure if it was a Firefox bug or an issue with an addon, so I didn't raise an issue. But after testing for several days with different browser profiles and versions it still logs me out after some time.

Feels like between a few hours or a day, not right after closing the site and reopening it. As if I didn't check the "remember me" box.

@Bolthier commented on GitHub (Oct 18, 2021): I have the same issue after updating without ever enabling 2FA. I wasn't sure if it was a Firefox bug or an issue with an addon, so I didn't raise an issue. But after testing for several days with different browser profiles and versions it still logs me out after some time. Feels like between a few hours or a day, not right after closing the site and reopening it. As if I didn't check the "remember me" box.

OVERLORD commented

2026-02-05 04:08:29 +03:00

@ssddanbrown commented on GitHub (Oct 20, 2021):

Thanks both for reporting this one, but I'm having trouble replicating it at all. Have reduced my SESSION_LIFETIME to 1 minute then tested via normal use and via following the steps in the original request here.

If either of you could provide details of your cookies that would be ideal. Specifically, there should be a cookie with a name starting with remember_standard_. If you could provide all details possible as shown below. Don't provide the cookie value nor the domain if you don't want that public.

@ssddanbrown commented on GitHub (Oct 20, 2021): Thanks both for reporting this one, but I'm having trouble replicating it at all. Have reduced my `SESSION_LIFETIME` to 1 minute then tested via normal use and via following the steps in the original request here. If either of you could provide details of your cookies that would be ideal. Specifically, there should be a cookie with a name starting with `remember_standard_`. If you could provide all details possible as shown below. Don't provide the cookie value nor the domain if you don't want that public. ![Screenshot from 2021-10-20 11-44-20](https://user-images.githubusercontent.com/8343178/138079216-a9704452-26ed-4294-8125-534ea32c8517.png)

OVERLORD commented

2026-02-05 04:08:33 +03:00

@Bolthier commented on GitHub (Oct 20, 2021):

Hi Dan, heres the cookie:

@Bolthier commented on GitHub (Oct 20, 2021): Hi Dan, heres the cookie: ![image](https://user-images.githubusercontent.com/42382626/138120788-95c8402b-def4-4bbd-ade8-b66b1c436488.png)

OVERLORD commented

2026-02-05 04:08:38 +03:00

@ssddanbrown commented on GitHub (Oct 20, 2021):

Thanks @Bolthier. I'm assuming you're on a non-https site with a non-https APP_URL value set?

@ssddanbrown commented on GitHub (Oct 20, 2021): Thanks @Bolthier. I'm assuming you're on a non-https site with a non-https `APP_URL` value set?

OVERLORD commented

2026-02-05 04:08:43 +03:00

@Bolthier commented on GitHub (Oct 20, 2021):

It seems I never set the APP_URL attribute. I'm on an https host with redirection of http to https through apache. I'm using a subdomain for the bookstack environment.

I have now set the APP_URL to my bookstack URL. Will give feedback if this solved my issue.

@Bolthier commented on GitHub (Oct 20, 2021): It seems I never set the APP_URL attribute. I'm on an https host with redirection of http to https through apache. I'm using a subdomain for the bookstack environment. I have now set the APP_URL to my bookstack URL. Will give feedback if this solved my issue.

OVERLORD commented

2026-02-05 04:08:48 +03:00

@Bolthier commented on GitHub (Oct 21, 2021):

@ssddanbrown Seems like the issue still persists. After several hours I get logged out despite the cookie existing.

Any ideas what to look for on my side?

@Bolthier commented on GitHub (Oct 21, 2021): @ssddanbrown Seems like the issue still persists. After several hours I get logged out despite the cookie existing. Any ideas what to look for on my side?

OVERLORD commented

2026-02-05 04:08:51 +03:00

@ssddanbrown commented on GitHub (Oct 21, 2021):

@Bolthier You could try setting SESSION_LIFETIME=1 (So sessions only live for 1 minute by default) in your .env then let me know if you remain logged in, when using the "remember me" option, after 2 minutes of inactivity on the homepage.

@ssddanbrown commented on GitHub (Oct 21, 2021): @Bolthier You could try setting `SESSION_LIFETIME=1` (So sessions only live for 1 minute by default) in your `.env` then let me know if you remain logged in, when using the "remember me" option, after 2 minutes of inactivity on the homepage.

OVERLORD commented

2026-02-05 04:08:54 +03:00

@Bolthier commented on GitHub (Oct 21, 2021):

I tried that and it seems I have located the issue.

I set the session lifetime to 1 minute.
Logged into a session with "Remember me" checked
Waited for more than 3 minutes
Refreshed the page in session 1 and was still logged in
Logged into a seperate session with or without "Remember me" checked
Waited for more than 3 minutes
Refreshed page in session 1 and was logged out, session 2 is still logged in if "Remember me" was checked

I tested this with session 1 in Firefox and session 2 in private mode, mobile and nightly with the same result.

It seems to me that only one session can be remembered on the server side. I'm using Bookstack on both mobile and desktop.

@Bolthier commented on GitHub (Oct 21, 2021): I tried that and it seems I have located the issue. 1. I set the session lifetime to 1 minute. 2. Logged into a session with "Remember me" checked 3. Waited for more than 3 minutes 4. Refreshed the page in session 1 and was still logged in 5. Logged into a seperate session with or without "Remember me" checked 6. Waited for more than 3 minutes 7. Refreshed page in session 1 and was logged out, session 2 is still logged in if "Remember me" was checked I tested this with session 1 in Firefox and session 2 in private mode, mobile and nightly with the same result. It seems to me that only one session can be remembered on the server side. I'm using Bookstack on both mobile and desktop.

OVERLORD commented

2026-02-05 04:08:58 +03:00

@ljlapierre commented on GitHub (Oct 21, 2021):

I have yet to verify the cookie, but this behavior is consistent with what I'm seeing. I log in from my home machine, work machine, and from my phone quite frequently.

@ljlapierre commented on GitHub (Oct 21, 2021): I have yet to verify the cookie, but this behavior is consistent with what I'm seeing. I log in from my home machine, work machine, and from my phone quite frequently.

OVERLORD commented

2026-02-05 04:09:02 +03:00

@ssddanbrown commented on GitHub (Oct 21, 2021):

It seems to me that only one session can be remembered on the server side. I'm using Bookstack on both mobile and desktop.

Yeah, That's what I'd expect, Since the token is joined up with the user via a single DB column. This should have always been the case though, from the first version of BookStack so nothing new.

@ssddanbrown commented on GitHub (Oct 21, 2021): > It seems to me that only one session can be remembered on the server side. I'm using Bookstack on both mobile and desktop. Yeah, That's what I'd expect, Since the token is joined up with the user via a single DB column. This should have always been the case though, from the first version of BookStack so nothing new.

OVERLORD commented

2026-02-05 04:09:08 +03:00

@ljlapierre commented on GitHub (Oct 21, 2021):

That's strange.. it always worked for me.

Getting out of bugfix territory and into feature request - could a table be created to link token keys to users instead of a single column?

I can create multiple "me" users as a workaround, one per device, but it's not the most elegant solution

@ljlapierre commented on GitHub (Oct 21, 2021): That's strange.. it always worked for me. Getting out of bugfix territory and into feature request - could a table be created to link token keys to users instead of a single column? I can create multiple "me" users as a workaround, one per device, but it's not the most elegant solution

OVERLORD commented

2026-02-05 04:09:13 +03:00

@Bolthier commented on GitHub (Oct 21, 2021):

I'm pretty sure it was possible to stay logged in on both mobile and desktop before, but I could be wrong. Any chance to get this function implemented?

@Bolthier commented on GitHub (Oct 21, 2021): I'm pretty sure it was possible to stay logged in on both mobile and desktop before, but I could be wrong. Any chance to get this function implemented?

OVERLORD commented

2026-02-05 04:09:19 +03:00

@ssddanbrown commented on GitHub (Oct 21, 2021):

Getting out of bugfix territory and into feature request - could a table be created to link token keys to users instead of a single column?

Yeah, can definitely likely be done. Plan to update the framework soon, which remember-me functionality ties into, so maybe after then it could be added.

Any chance to get this function implemented?

I'll update the title and mark this as a feature request.
Note: If it's just you (Or trusted set of users) using the system you could instead just increase the SESSION_LIFETIME .env option massively. Is defined in minutes, defaults to 120 (2 hours).

@ssddanbrown commented on GitHub (Oct 21, 2021): > Getting out of bugfix territory and into feature request - could a table be created to link token keys to users instead of a single column? Yeah, can definitely likely be done. Plan to update the framework soon, which remember-me functionality ties into, so maybe after then it could be added. > Any chance to get this function implemented? I'll update the title and mark this as a feature request. Note: If it's just you (Or trusted set of users) using the system you could instead just increase the `SESSION_LIFETIME` .env option massively. Is defined in minutes, defaults to `120` (2 hours).

OVERLORD commented

2026-02-05 04:09:22 +03:00

@ssddanbrown commented on GitHub (Oct 21, 2021):

Thinking a bit further, It does raise a question of invalidating other sessions if desired. It would massively increase the scope to actually track sessions and provide a listing with "revoke session" option (Since that would be desired outside of just "remember me" usage). Maybe it'd be a case of a manual logout (Via header option click) revoking all existing "remember me" sessions?

@ssddanbrown commented on GitHub (Oct 21, 2021): Thinking a bit further, It does raise a question of invalidating other sessions if desired. It would massively increase the scope to actually track sessions and provide a listing with "revoke session" option (Since that would be desired outside of just "remember me" usage). Maybe it'd be a case of a manual logout (Via header option click) revoking all existing "remember me" sessions?

OVERLORD commented

2026-02-05 04:09:26 +03:00

@Bolthier commented on GitHub (Oct 21, 2021):

Maybe it'd be a case of a manual logout (Via header option click) revoking all existing "remember me" sessions?

Yeah, that would be the ideal solution. Maybe even give the user some info like browser and ip of all active sessions.

@Bolthier commented on GitHub (Oct 21, 2021): > Maybe it'd be a case of a manual logout (Via header option click) revoking all existing "remember me" sessions? Yeah, that would be the ideal solution. Maybe even give the user some info like browser and ip of all active sessions.

OVERLORD commented

2026-02-05 04:09:29 +03:00

@ssddanbrown commented on GitHub (Oct 21, 2021):

Yeah, Ties into the request of #2828.

@ssddanbrown commented on GitHub (Oct 21, 2021): Yeah, Ties into the request of #2828.

OVERLORD commented

2026-02-05 04:09:31 +03:00

@ljlapierre commented on GitHub (Oct 21, 2021):

The features could be staged, start with a "toast all sessions" button for basic functionality that could be expanded upon easily enough

@ljlapierre commented on GitHub (Oct 21, 2021): The features could be staged, start with a "toast all sessions" button for basic functionality that could be expanded upon easily enough

OVERLORD commented

2026-02-05 04:09:33 +03:00

@Cave-Johnson commented on GitHub (Oct 26, 2021):

Adding my thought here from a security perspective, if you do go the route of allowing multiple devices to be logged in with the same account at the same time, it would be great to additionally provide an option to only allow a single active session as well.

@Cave-Johnson commented on GitHub (Oct 26, 2021): Adding my thought here from a security perspective, if you do go the route of allowing multiple devices to be logged in with the same account at the same time, it would be great to additionally provide an option to only allow a single active session as well.

OVERLORD commented

2026-02-05 04:09:33 +03:00

@wouterVE commented on GitHub (Nov 30, 2021):

I'm having the same behavior as @Bolthier describes. Logging in another device does invalidate my other Bookstack sessions after the bookstack_session cookie has expired. In the past (I think until the version of May?) I did not have this issue.

For now I've 'solved' it by increasing the value of SESSION_LIFETIME in the .env file.

@wouterVE commented on GitHub (Nov 30, 2021): I'm having the same behavior as [@Bolthier](https://github.com/BookStackApp/BookStack/issues/2985#issuecomment-948943030) describes. Logging in another device does invalidate my other Bookstack sessions after the `bookstack_session` cookie has expired. In the past (I think until the version of May?) I did not have this issue. For now I've 'solved' it by increasing the value of `SESSION_LIFETIME` in the` .env` file.

OVERLORD referenced this issue

2026-02-05 10:22:12 +03:00

[PR #2439] [MERGED] New Crowdin updates #5998

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2439