Refreshing browser on webvault locks vault #738

New Issue

Closed

opened 2026-02-04 22:23:29 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-04 22:23:29 +03:00

Owner

Copy Link

Originally created by @renannprado on GitHub (Jul 4, 2020).

Subject of the issue

bitwarden_rs is requesting for the vault to be unlocked after refresh even though it's set to lock after 15min.

Your environment

• Bitwarden_rs version: 1.15.1
• Install method: Deployed to Kubernetes
• Clients used: Firefox
• Reverse proxy and version: Kubernetes Nginx Ingress
• Version of mysql/postgresql: N/A

Steps to reproduce

Login into the web vault, check that your Vault Timeout is set to 15min, then refresh the browser. After the refresh, you'll be asked for the vault to be unlocked again even though 15min hasn't passed.

Expected behaviour

As long as the Vault Timeout hasn't been reached, the web vault should be kept unlocked, regardless of page refresh.

Actual behaviour

After refreshing the browser, the webvault locks, ignoring the Vault Timeout you have set.

Relevant logs

N/A

Originally created by @renannprado on GitHub (Jul 4, 2020). ### Subject of the issue bitwarden_rs is requesting for the vault to be unlocked after refresh even though it's set to lock after 15min. ### Your environment * Bitwarden_rs version: 1.15.1 * Install method: Deployed to Kubernetes * Clients used: Firefox * Reverse proxy and version: Kubernetes Nginx Ingress * Version of mysql/postgresql: N/A ### Steps to reproduce Login into the web vault, check that your Vault Timeout is set to 15min, then refresh the browser. After the refresh, you'll be asked for the vault to be unlocked again even though 15min hasn't passed. ### Expected behaviour As long as the Vault Timeout hasn't been reached, the web vault should be kept unlocked, regardless of page refresh. ### Actual behaviour After refreshing the browser, the webvault locks, ignoring the `Vault Timeout` you have set. ### Relevant logs N/A

OVERLORD closed this issue 2026-02-04 22:23:34 +03:00

OVERLORD commented 2026-02-04 22:23:36 +03:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub (Jul 5, 2020):

This is how it works in the official vault, I assume to avoid having to store the master password as cookies or in the browsers local storage. We try to keep the web vault's code as close as possible to the upstream version, with only minimal patches, so if you want this feature to be different, you might try checking the official comunity for an open thread or you can create one yourself: https://community.bitwarden.com/.

That said, checking at the available options which are something like:

• 1 minute
• 2 minutes
• ...
• When refreshing the page

It does seem to imply that all but the last option only lock when the time limit is reached, i guess the last option should probably be named "Only when refreshing the page" instead.

@dani-garcia commented on GitHub (Jul 5, 2020): This is how it works in the official vault, I assume to avoid having to store the master password as cookies or in the browsers local storage. We try to keep the web vault's code as close as possible to the upstream version, with only minimal patches, so if you want this feature to be different, you might try checking the official comunity for an open thread or you can create one yourself: https://community.bitwarden.com/. That said, checking at the available options which are something like: - 1 minute - 2 minutes - ... - When refreshing the page It does seem to imply that all but the last option only lock when the time limit is reached, i guess the last option should probably be named "Only when refreshing the page" instead.

OVERLORD commented 2026-02-04 22:23:41 +03:00

Author

Owner

Copy Link

@wirwolf commented on GitHub (Dec 13, 2023):

@dani-garcia you can store the access token with the refresh token and expired time. And when the user refresh the page frontend request to the server and validate session(IP, user agent, fingerprint,other params).

You can also add an option in the user profile for not saving token locally.

This case is very decreasing usability.

@wirwolf commented on GitHub (Dec 13, 2023): @dani-garcia you can store the access token with the refresh token and expired time. And when the user refresh the page frontend request to the server and validate session(IP, user agent, fingerprint,other params). You can also add an option in the user profile for not saving token locally. This case is very decreasing usability.

OVERLORD referenced this issue 2026-02-05 04:56:01 +03:00

[PR #738] [MERGED] Added netcup domains to global domains #2764

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#738