gitea icon indicating copy to clipboard operation
gitea copied to clipboard
verified publisher icon go-gitea

Gitea web session cookie only live for one browser session

Open ghost opened this issue 11 months ago • 6 comments

Description

I notice I need to sign in to Gitea (via external identity provider) every time I open my browser then Gitea web, which can be quite annoying. I looked at our instance config session section:

[session]
#PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = db
COOKIE_SECURE = true
GC_INTERVAL_TIME = 3600
SESSION_LIFE_TIME = 86400

Nowhere wrong. Checked backend logs, simply router outputs. No error. Restarted Gitea, still same. In console I see session cookie has no Max-Age. That means it would be deleted once I close browser, while CSRF cookie will be kept. Is this by design? Or Am I simply getting somewhere wrong? According to https://docs.gitea.com/next/administration/config-cheat-sheet?#session-session, to my understanding, SESSION_LIFE_TIME would set Max-Age of i_like_gitea

Gitea Version

e663c4a7f0

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

Image

Image

Image

Image

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker compose

Database

PostgreSQL

ghost avatar Jan 26 '25 14:01 ghost

I confirm that external Oauth2 provider never gave any satisfactory session keeping for our users as well...

MaxWaldorf avatar Feb 01 '25 17:02 MaxWaldorf

This issue happens with password sign in too. (without ticking "remember me")

I may have found the root cause. It's originated from go-chi/session, using unset variable CookieLifeTime (https://gitea.com/go-chi/session/search?q=CookieLifeTime) to set Max-Age for i_like_gitea. https://gitea.com/go-chi/session/src/commit/16768d98ec9667722b876d4bed11017ce16d4572/session.go#L92

cc @lunny . Let CookieLifeTime = Maxlifetime?

ghost avatar Feb 12 '25 10:02 ghost

Does anybody has a update about this? I configured a new gitea instance in a kubernetes cluster and observed exactly this. I tried to set multiple values like "SESSION_LIFE_TIME ", but the gitea cookie always dies with the browser session. I don't remember this behavior on our long living docker instance so I thought is is a kubernetes issue. But after reading this issue, I think it could be a gitea problem!?

Tockra avatar Apr 23 '25 16:04 Tockra

I'm also facing the same problem on gitea v1.23.7 with authentik v2025.4.0.

The session cookie has a lifetime of browser session.

juliuskreutz avatar May 11 '25 09:05 juliuskreutz

FWIW, make sure that your browser is not set to delete cookies and site data when closing. LibreWolf has this turned on by default.

merlinz01 avatar Nov 15 '25 00:11 merlinz01

I've spent some time debugging a user issue related to this area and now my (possibly incomplete!) understanding is that the following code assumes that a session cookie should be more persistent, i.e. we don't expect a user that comes back with a COOKIE_REMEMBER_NAME (aka gitea_incredible) to be lacking the session cookie (aka i_like_gitea):

https://github.com/go-gitea/gitea/blob/1e777f92c79d4a5c96aa0183b0bdd62bf6150b80/services/auth/auth_token.go#L58-L60

If this is indeed the assumption, I would say that the Sessioner middleware should be explicitly configured with a non-zero CookieLifeTime.

komarov avatar Dec 02 '25 16:12 komarov