Maxi
Member
- Oct 17, 2025
- 29
- 18
Intented Behaviour
i want to stay logged in to ahwoo.com/app/100000/kitten-space-agency across browser sessions, as one would expect with a 7-day idle timeout / 30-day max session duration as described here:
in an response to
What happened instead
Every time I close and reopen my browser, I am logged out of the app and have to re-authenticate via my auth provider (Discord). This happens regardless of how recently I logged in. Even if I log in, close the browser, and immediately reopen it, the session is gone.
Meanwhile, I stay logged into https://forums.ahwoo.com indefinitely across browser restarts.
What I expected to happen
I expected to remain logged in for at least 7 days (idle timeout) or until the 30-day max session expires, without needing to re-authenticate after every browser restart such as described by @jsmkte
So far the game has had version updates more frequent than the 7 day idle timeout and i always immediatly download it, so i should have stayed logged in the entire time.
Possible Root Cause
I investigated the cookies set by Keycloak (the authentication provider at
auth.ahwoo.com) and found that two cookies are set as session cookies with no Expires or Max-Age attribute:| Cookie | Expires | HttpOnly |
|---|---|---|
AUTH_SESSION_ID | Session | true |
KEYCLOAK_IDENTITY | Session | true |
KEYCLOAK_SESSION | Fri, 08 May 2026 (30 days) | false |
KC_AUTH_SESSION_HASH | Same day (hours) | false |
Session cookies are deleted by the browser when it is closed. This means no matter how long the server-side session remains valid, the browser loses the credentials needed to resume it on the next launch.
Only
KEYCLOAK_SESSION has a persistent expiry (30 days), but without AUTH_SESSION_ID and KEYCLOAK_IDENTITY, it is insufficient to restore the session.For comparison, the forums seem to not have these cookies at all and use XenForo with a persistent
xf_user cookie (expires Feb 2027) instead, which is why forum logins survive browser restarts.I have experienced the issue in my own keycloak deployments and therefore believe that this is the likely root cause.
Suggested fix
Enable the "Remember Me" feature in the Keycloak realm configuration. When enabled, Keycloak sets persistent cookies with an explicit
Max-Age/Expires instead of session cookies. This would allow the browser-side cookies to match the intended server-side session lifetime (7-day idle / 30-day max).Browser and OS
- Firefox 137 on Windows 10 Pro (22H2) with both "Standard" and "Strict" Privacy / Enhanced Tracking Protection settings
- Google Chrome (latest) on Windows 10 Pro (22H2)
The issue occurs in both browsers.
Steps to reproduce
- Go to ahwoo.com/app/100000/kitten-space-agency
- Log in via Discord
- Close the browser completely (not just the tab)
- Reopen the browser and navigate to ahwoo.com/app/100000/kitten-space-agency
- Observe that you are logged out; browser console shows
"No valid Keycloak session found"
Upvote
2
