Chrome Browser OIDC Login Fails Due to Session oidc_state Loss

[jacac]

Describe the Bug

When logging in to BookStack using OpenID Connect (OIDC) in the Chrome browser, the login process fails and loops between BookStack and the OIDC provider. After a few loops the login succeeds.

Steps to Reproduce

• Configure BookStack with OIDC authentication.
• Open Bookstack.
• Observe the session state in the session store (Redis in my case)
• Click on the login button.
• Observe the oidc_state in the session.
• After a few seconds observer the oidc_state. It was missing for me.

Expected Behaviour

The OIDC login flow should complete successfully in Chrome without being interrupted by unrelated or failing resource requests. The oidc_state should be preserved until the authentication process is finalized.

Screenshots or Additional Context

The issue occurs because Chrome triggers additional requests (such as manifest.json, opensearch.xml, and even 404 requests like /dist/app.js.map (if DevTools are open) during the login flow. These requests interfere with the session handling of oidc_state. session()->flash() only preservers it for the next request.

BookStack/app/Access/Controllers/OidcController.php

Line 33 in cf84797

session()->flash('oidc_state', $loginDetails['state']);

causing it to be removed before the login completes The subsequent check during the callback fails in

BookStack/app/Access/Controllers/OidcController.php

Line 48 in cf84797

$this->showErrorNotification(trans('errors.oidc_fail_authed', ['system' => config('oidc.name')]));

Browser Details

Chrome Version 142.0.7444.176

Exact BookStack Version

v25.07.3

[ssddanbrown]

Thanks for reporting @jacac.
I've been trying to assist someone with very similar issues, which have been hard to re-produce, so thanks for digging into this to find the cause as it's helped considerably.

At a glance, and based on timing, it's probably only arising now due to this change:
fcef1a7

Since before this would not have been part of the session.
I'll mark this as a priority, with an aim to confirm, cover with testing, and patch into a new release tomorrow.

[jacac]

Maybe I should also mentioned that I blocked request on my proxy to opensearch.xml with a 404 return.

Steps/Experience:

1. After logging out, refreshing the page multiple times could restore a previous login session.
2. After logging in and navigating through several pages, the session could unexpectedly end (user logged out again).

Workaround:
I blocked requests to opensearch.xml at the proxy level (returning 404). This prevented the session from resetting to a prior state and stabilized login/logout behavior.

Notes:
I could not reproduce this on Firefox.

[hwangsvb]

Experiencing the same issue here. Tested on edge, chrome, and firefox, likely a chromium issue as it does not occur on firefox.

Issue started happening after updating from 25.07.2 to 25.07.3. An old clone of the instance running 25.07 is not having issues.

[ssddanbrown]

Unfortunately I have not been able to replicate this on either chrome or chromium (on OpenSuse) so wonder if other factors are in play. I can see that there are frequent manifest requests in these browsers, and opensearch requests are performed with cookies (and therefore would use sessions).

Regardless, the scenario can still be manually replicated so I'll look to change the flow to instead not depend on the next response being the callback (via session flashing) but instead be more persistent yet time limited.
I'll also maybe add a little bit of caching via headers to the manifest responses just to prevent chromium browsers adding extra load via redundant repeated calls.

[ssddanbrown]

This has now been addressed by the changes in adfac3e, and these will be part of the next patch release which I'll put out within the next hour or so.

Thanks again for reporting and providing input @jacac @hwangsvb.
Please let me know though if you continue to experience any issues after the update and this can be re-opened.

[hwangsvb]

updated to 25.11.5 and issue is still happening

for a bit more context:
bookstack is running in docker on ubuntu 24.04.3 LTS
using nginx as reverse proxy