Problem with authentication and multiple users

I have an application where I need to authenticate user at login. I tried to use both build-in Basic authentication in Panel and --auth-module in Bokeh server but both give the same behavior.
I am using .serveable() on my panel object and then starting the server from a command line with panel.exe serve .
Everything works fine for first user which can log in to main page without any issues. Problem starts when second or additional user tries to login. After inputting correct username and password the user is redirected to the main page but gets connected to the session of the first user. If the second user tries to logout it logouts also the first user.
What confuses me the most is that this behavior is not happening at all time. Sometime is it is possible to successfully log multiple users until this behavior of logging to another user session starts.
Any hint or suggestion would be greatly appreciated as I have been struggling to find a solution for long time.

1 Like

How are you running the server? I cannot reproduce with

import panel as pn



    "abc": "abc",
    "cba": "cba"

panel serve --basic-auth credentials.json --cookie-secret my_super_safe_cookie_secret

thank you for your reply.
The Panel app is run on Windows server where the windows server is used only as proxy to redirect from ports 80/443 to the port where my app is running.
So I assume the problem might be somewhere with the proxy setting but I am not able to figure our where. I am passing cookies through the proxy server, users have different ip addresses when they log in which I am able to retrieve from Request. But still when an additional user tries to log in after passing the authentication he may end up in other user’s session.

Facing similar issue on windows. Apart from this one more issue:
I created a simple one line panel app like above with basic auth. Login works fine first time. But second time onwards it doesnt even ask for Login/ password after I restart the service even if I change the credentials in the auth file i.e. even if user is deleted/ password is changed etc still no login screen appears and user have direct access based on saved cookies on the browser.

1 Like

Hi @abba94

Try posting as a bug on Github with a minimum, reproducible example and some screenshots/ a video showing the issue.


In my case the problem was Windows Server which was used as a proxy. I was able to change my architecture setup and avoid using the proxy and after that everything seems to be working fine.
I think the behavior that you are describing is intentional. Once a user logs in a cookie file with user information is created. When you restart your app, the code looks for the cookie with user information and if it is found it redirects directly to your app. If the cookie is not found user is redirected to the login page Changing credential does not remove this cookie file from user browser. For that you would need to clear cookies in your browser or use Private mode.
The cookie file has an expiration time which is set by default to 1 day. You can change that by passing --oath-expiry-days parameter.

Thank you, cookie file expiration time change worked for me. I will look further into windows server thing

I am seeing the same thing and just want to confirm that this is the expected behavior. I have two users in a json file and I am using BasicAuth. The state of the application seems to be tied to the browser/cookie and not the user, which doesn’t seem like what one would want. So if I open Chrome and Firefox and login and out the state of the app stays the same in each browser regardless of the user. I can post the code, but I am just using the BasicAuth example Code combined with the Fast Template example code and starting the app wiht panel serve on the command line.

@ahuang11 Are you saying that you do not see this and the layout of your Widgets will be saved against the user and not the browser?