Expired OIDC login button #4257

New Issue

OVERLORD · 2026-02-05T08:22:15+03:00

OVERLORD commented

2026-02-05 08:22:15 +03:00

Originally created by @thespad on GitHub (Oct 4, 2023).

Describe the Bug

If you leave a browser tab logged into Bookstack via OIDC and then close the browser and return later after the session has expired - say the next day - when the page loads it will display the login page, but following the login link will result in a 419 - Page Expired error.

Manually refreshing the login page before clicking the login button works as expected.

Steps to Reproduce

Login to Bookstack via OIDC in a browser tab
Close browser
Reopen browser after login session has expired
Navigate to Bookstack tab
Click on OIDC Login button
See 419 error

Expected Behaviour

Login button should work even if the page itself is stale, or at least fail in a more recoverable way than a full-page 419 error.

Screenshots or Additional Context

No response

Browser Details

Firefox 118.0.1 x64 on Windows 10

Exact BookStack Version

v23.08.3

Originally created by @thespad on GitHub (Oct 4, 2023). ### Describe the Bug If you leave a browser tab logged into Bookstack via OIDC and then close the browser and return later after the session has expired - say the next day - when the page loads it will display the login page, but following the login link will result in a 419 - Page Expired error. Manually refreshing the login page *before* clicking the login button works as expected. ### Steps to Reproduce Login to Bookstack via OIDC in a browser tab Close browser Reopen browser after login session has expired Navigate to Bookstack tab Click on OIDC Login button See 419 error ### Expected Behaviour Login button should work even if the page itself is stale, or at least fail in a more recoverable way than a full-page 419 error. ### Screenshots or Additional Context _No response_ ### Browser Details Firefox 118.0.1 x64 on Windows 10 ### Exact BookStack Version v23.08.3

OVERLORD added the 🐛 Bug label 2026-02-05 08:22:15 +03:00

OVERLORD closed this issue

2026-02-05 08:22:17 +03:00

OVERLORD commented

2026-02-05 08:22:20 +03:00

@ssddanbrown commented on GitHub (Oct 4, 2023):

Thanks for reporting @thespad.

We prevent caching when authenticated since it was a security concern in that context, but maybe we need to do the same for all users.

Just need to double check potential implications but think it should be fine outside of minor performance hits in some (fairly uncommon) scenarios.

@ssddanbrown commented on GitHub (Oct 4, 2023): Thanks for reporting @thespad. We [prevent caching when authenticated](https://github.com/BookStackApp/BookStack/blob/b90033a73032da8657f1bd3ec3687aa4426d8cc1/app/Http/Middleware/PreventAuthenticatedResponseCaching.php) since it was a security concern in that context, but maybe we need to do the same for all users. Just need to double check potential implications but think it should be fine outside of minor performance hits in some (fairly uncommon) scenarios.

OVERLORD commented

2026-02-05 08:22:27 +03:00

@ssddanbrown commented on GitHub (Oct 23, 2023):

This has now been addressed via 7c4dc981cd, and will be part of the next feature release.

Thanks again @thespad for reporting.

@ssddanbrown commented on GitHub (Oct 23, 2023): This has now been addressed via 7c4dc981cd049196971a663521da73aea2990490, and will be part of the next feature release. Thanks again @thespad for reporting.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4257