github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-03-18 11:44:32 -05:00
Code Issues 144 Packages Projects Releases 116 Wiki Activity

iOS logs out when bitwarden server becomes unreachable #235

New Issue
Closed
opened 2025-11-07 08:32:07 -06:00 by GiteaMirror · 4 comments
GiteaMirror commented 2025-11-07 08:32:07 -06:00
Owner
Copy Link

Originally created by @blacs30 on GitHub (Jun 10, 2018).

On the latest iOS version (1.16.2 - 31) the account is logged out in these situations when the self hosted bitwarden server is unreachable:

  • iOS has internet (WiFi)
  • iOS has internet (mobile) and Bitwarden is allowed to use it

I don't know if that is a security mechanism or a bug - however it is not nice when this happens as I don't have access to the passwords until the bitwarden server is reachable again.

(Reasons for the server not available is not a point for discussion here)

Originally created by @blacs30 on GitHub (Jun 10, 2018). On the latest iOS version (1.16.2 - 31) the account is logged out in these situations when the self hosted bitwarden server is unreachable: * iOS has internet (WiFi) * iOS has internet (mobile) and Bitwarden is allowed to use it I don't know if that is a security mechanism or a bug - however it is not nice when this happens as I don't have access to the passwords until the bitwarden server is reachable again. _(Reasons for the server not available is not a point for discussion here)_ <!-- Please do not submit feature requests. The [Community Forums][1] has a section for submitting, voting for, and discussing product feature requests. [1]: https://community.bitwarden.com -->
GiteaMirror commented 2025-11-07 08:32:08 -06:00
Author
Owner
Copy Link

@kspearrin commented on GitHub (Jun 11, 2018):

You should only be logged out if the server returns a 401 or 403 status code from an API request.

@kspearrin commented on GitHub (Jun 11, 2018): You should only be logged out if the server returns a 401 or 403 status code from an API request.
GiteaMirror commented 2025-11-07 08:32:08 -06:00
Author
Owner
Copy Link

@Livven commented on GitHub (Jun 11, 2018):

Tangentially related but any chance this could be changed so that you are never automatically logged out, at least requiring a prompt or something similar?

Problem with the current approach is that you cannot rely on a local app installation as a "backup". If something goes wrong on the server, causing data loss and 401 errors, then opening the app would essentially wipe even the locally cached data, and the user would lose all stored passwords.

@Livven commented on GitHub (Jun 11, 2018): Tangentially related but any chance this could be changed so that you are never automatically logged out, at least requiring a prompt or something similar? Problem with the current approach is that you cannot rely on a local app installation as a "backup". If something goes wrong on the server, causing data loss and 401 errors, then opening the app would essentially wipe even the locally cached data, and the user would lose all stored passwords.
GiteaMirror commented 2025-11-07 08:32:08 -06:00
Author
Owner
Copy Link

@kspearrin commented on GitHub (Jun 11, 2018):

Often times this is exactly the desired functionality. For example, an organization removes access for a user to their installation. Next time the application phones home to the server, they will get a 401 and their device will be wiped of any stored secrets.

Also, deauthorizing sessions, changing master password, etc. All of these cause this desired functionality.

If your server is not available, why is it returning 401/403 status codes? It should be a 404 or 500 I would imagine.

@kspearrin commented on GitHub (Jun 11, 2018): Often times this is exactly the desired functionality. For example, an organization removes access for a user to their installation. Next time the application phones home to the server, they will get a 401 and their device will be wiped of any stored secrets. Also, deauthorizing sessions, changing master password, etc. All of these cause this desired functionality. If your server is not available, why is it returning 401/403 status codes? It should be a 404 or 500 I would imagine.
GiteaMirror commented 2025-11-07 08:32:08 -06:00
Author
Owner
Copy Link

@blacs30 commented on GitHub (Jun 11, 2018):

Thanks for your answer. For me that information was already helpful. As I don't want that behaviour for my on man show I've changed the nginx configuration in a way that I rewrite error codes e.g:

error_page 403 =404 /404.html;
        location = /404.html {
                root /usr/share/nginx/html;
                internal;
        }

Would be nice though to have a trigger in the app settings in iOS to enable or disable that behaviour in a way that organisations could control the setting via a profile so that they keep control and not the user of a business phone.

@blacs30 commented on GitHub (Jun 11, 2018): Thanks for your answer. For me that information was already helpful. As I don't want that behaviour for my _on man show_ I've changed the nginx configuration in a way that I rewrite error codes e.g: ``` error_page 403 =404 /404.html; location = /404.html { root /usr/share/nginx/html; internal; } ``` Would be nice though to have a trigger in the app settings in iOS to enable or disable that behaviour in a way that organisations could control the setting via a profile so that they keep control and not the user of a business phone.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#235
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?