github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #7329] Possible to keep users logged in on update? #14704

New Issue
Closed
opened 2026-04-19 21:00:10 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-19 21:00:10 -05:00
Owner
Copy Link

Originally created by @tkafka on GitHub (Nov 25, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/7329

Feature Request

Is your feature request related to a problem? Please describe.
Right now, whenever I update the open-webui docker, all logins are invalidated, so everyone has to log in again, which is uncomfortable, plus (without knowing the user has been signed out on a server) it usually takes a failed (lost) conversation message before the client realizes it's not signed in.

Thanks for looking into this!

Update commands:

docker compose -f docker-compose.yml -f docker-compose.searxng.yml up -d --pull always
docker compose restart traefik

Describe the solution you'd like
I would like the docker update to preserve the logged-in users.

Describe alternatives you've considered
Is there some folder which stores user sessions, that could be mapped into a persistent volume to survive the update?

Additional context
My docker-compose.yml:

services:
  traefik:
    image: traefik:v3.1
    environment:
      - TZ=Europe/Prague
    command:
      - "--providers.docker=true"
      # enable the dynamic file
      - "--providers.file=true"
      - "--providers.file.directory=/etc/traefik/dynamic_conf"
      - "--providers.file.watch=true"
      # we need to expose the :80 port for the challenge
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      # skip verification of the backend server's certificate - necessary for self-signed certs
      - "--serversTransport.insecureSkipVerify=true"
      # acme
      - "--certificatesresolvers.acmeresolver.acme.email=myemail@xample.com"
      - "--certificatesresolvers.acmeresolver.acme.storage=/letsencrypt/acme.json"
      # used during the challenge
      - "--certificatesresolvers.acmeresolver.acme.httpchallenge.entrypoint=web"
    ports:
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      # - "8080:8080"
    restart: unless-stopped
    networks:
      - open-webui-network
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      # Sync timezones
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      # letsencrypt
      - "~/letsencrypt:/letsencrypt"
      # dynamic config
      - "~/dockers/traefik_dynamic:/etc/traefik/dynamic_conf"

  open-webui:
    image: ghcr.io/open-webui/open-webui:main
    environment:
      - OPENAI_API_KEY=<KEY>
      - PORT=4001
      - WEBUI_URL=https://open-webui.example.com
    depends_on:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.open-webui.rule=Host(`open-webui.example.com`)"
      - "traefik.http.routers.open-webui.entrypoints=websecure"
      - "traefik.http.routers.open-webui.tls=true"
      - "traefik.http.routers.open-webui.tls.certresolver=acmeresolver"
      - "traefik.http.services.open-webui.loadbalancer.server.port=4001"
    ports:
      - "4001:4001"
    volumes:
      - ~/open-webui:/app/backend/data
    networks:
      - open-webui-network
    restart: unless-stopped

  litellm:
    image: ghcr.io/berriai/litellm:main-latest
    environment:
      - LITELLM_MASTER_KEY=<LITELLMKEY>
    volumes:
      - ~/litellm:/config
    command: --config /config/config.yaml --port 4000
    ports:
      - "4000:4000"
    networks:
      - open-webui-network
    restart: unless-stopped

# volumes:
#  open-webui:

networks:
  open-webui-network:
    driver: bridge
Originally created by @tkafka on GitHub (Nov 25, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/7329 # Feature Request **Is your feature request related to a problem? Please describe.** Right now, whenever I update the open-webui docker, all logins are invalidated, so everyone has to log in again, which is uncomfortable, plus (without knowing the user has been signed out on a server) it usually takes a failed (lost) conversation message before the client realizes it's not signed in. Thanks for looking into this! Update commands: > docker compose -f docker-compose.yml -f docker-compose.searxng.yml up -d --pull always > docker compose restart traefik **Describe the solution you'd like** I would like the docker update to preserve the logged-in users. **Describe alternatives you've considered** Is there some folder which stores user sessions, that could be mapped into a persistent volume to survive the update? **Additional context** My `docker-compose.yml`: ```docker services: traefik: image: traefik:v3.1 environment: - TZ=Europe/Prague command: - "--providers.docker=true" # enable the dynamic file - "--providers.file=true" - "--providers.file.directory=/etc/traefik/dynamic_conf" - "--providers.file.watch=true" # we need to expose the :80 port for the challenge - "--entrypoints.web.address=:80" - "--entrypoints.websecure.address=:443" # skip verification of the backend server's certificate - necessary for self-signed certs - "--serversTransport.insecureSkipVerify=true" # acme - "--certificatesresolvers.acmeresolver.acme.email=myemail@xample.com" - "--certificatesresolvers.acmeresolver.acme.storage=/letsencrypt/acme.json" # used during the challenge - "--certificatesresolvers.acmeresolver.acme.httpchallenge.entrypoint=web" ports: - "80:80" - "443:443" # The Web UI (enabled by --api.insecure=true) # - "8080:8080" restart: unless-stopped networks: - open-webui-network volumes: # So that Traefik can listen to the Docker events - /var/run/docker.sock:/var/run/docker.sock # Sync timezones - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro # letsencrypt - "~/letsencrypt:/letsencrypt" # dynamic config - "~/dockers/traefik_dynamic:/etc/traefik/dynamic_conf" open-webui: image: ghcr.io/open-webui/open-webui:main environment: - OPENAI_API_KEY=<KEY> - PORT=4001 - WEBUI_URL=https://open-webui.example.com depends_on: - traefik labels: - "traefik.enable=true" - "traefik.http.routers.open-webui.rule=Host(`open-webui.example.com`)" - "traefik.http.routers.open-webui.entrypoints=websecure" - "traefik.http.routers.open-webui.tls=true" - "traefik.http.routers.open-webui.tls.certresolver=acmeresolver" - "traefik.http.services.open-webui.loadbalancer.server.port=4001" ports: - "4001:4001" volumes: - ~/open-webui:/app/backend/data networks: - open-webui-network restart: unless-stopped litellm: image: ghcr.io/berriai/litellm:main-latest environment: - LITELLM_MASTER_KEY=<LITELLMKEY> volumes: - ~/litellm:/config command: --config /config/config.yaml --port 4000 ports: - "4000:4000" networks: - open-webui-network restart: unless-stopped # volumes: # open-webui: networks: open-webui-network: driver: bridge ```
GiteaMirror commented 2026-04-19 21:00:12 -05:00
Author
Owner
Copy Link

@tkafka commented on GitHub (Nov 25, 2024):

My investigation so far:

Open-webui seems to be using Starlette as: d870386d7d/backend/open_webui/main.py (L2571)

from starlette.middleware.sessions import SessionMiddleware

# ...

# SessionMiddleware is used by authlib for oauth
if len(OAUTH_PROVIDERS) > 0:
    app.add_middleware(
        SessionMiddleware,
        secret_key=WEBUI_SECRET_KEY,
        session_cookie="oui-session",
        same_site=WEBUI_SESSION_COOKIE_SAME_SITE,
        https_only=WEBUI_SESSION_COOKIE_SECURE,
    )

ChatGPT says: SessionMiddleware by default uses an in-memory store for sessions if no storage backend is configured. This is volatile and explains why sessions are lost when the container is restarted or updated.

Can we add a simple filesystem-based session store?

It should be done like this:

app.add_middleware(
    SessionMiddleware,
    secret_key=WEBUI_SECRET_KEY,
    path_to_store="/persistent/session/data"
)

Then map the directory in your docker-compose.yml:

volumes:
  - ./data/sessions:/persistent/session/data

The drawbacks are that some users might prefer a fast in-memory store, so I think it would be better to introduce some env var like eg. WEBUI_SESSION_STORAGE_FOLDER and use it only if the user provides it.

What do you think?

<!-- gh-comment-id:2497696648 --> @tkafka commented on GitHub (Nov 25, 2024): My investigation so far: Open-webui seems to be using Starlette as: https://github.com/open-webui/open-webui/blob/d870386d7da7c1335ebab32158028e21006b8806/backend/open_webui/main.py#L2571 ```python from starlette.middleware.sessions import SessionMiddleware # ... # SessionMiddleware is used by authlib for oauth if len(OAUTH_PROVIDERS) > 0: app.add_middleware( SessionMiddleware, secret_key=WEBUI_SECRET_KEY, session_cookie="oui-session", same_site=WEBUI_SESSION_COOKIE_SAME_SITE, https_only=WEBUI_SESSION_COOKIE_SECURE, ) ``` ChatGPT says: SessionMiddleware by default uses an in-memory store for sessions if no storage backend is configured. This is volatile and explains why sessions are lost when the container is restarted or updated. Can we add a simple filesystem-based session store? It should be done like this: ``` app.add_middleware( SessionMiddleware, secret_key=WEBUI_SECRET_KEY, path_to_store="/persistent/session/data" ) ``` Then map the directory in your docker-compose.yml: ``` volumes: - ./data/sessions:/persistent/session/data ``` The drawbacks are that some users might prefer a fast in-memory store, so I think it would be better to introduce some env var like eg. `WEBUI_SESSION_STORAGE_FOLDER` and use it only if the user provides it. What do you think?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#14704
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?