Forum logs me out...but only when I use my "standing" VM

OK, that title sucks, but I can’t write a better one that won’t look like the body of a post.

So here’s what’s going on: For most websites I run a VM based (ultimately) on debian-12-minimal, but I’ve taken a page or two from arkenfox, and a bit from split browser, and customized the heck out of firefox, and I’ve created a disposable that opens my customized firefox.

Generally, I can just fire the thing up, and go where I want to go, log in perhaps, but of course when I close the window, the disposable “dies” and that’s that.

There are a few sites I visit frequently, and this is one of them. For those sites, I create a disposable template that opens the site by default, and whitelists just the cookies from that site.

So I can run the disposable template, log in, shut down the disposable template, and the next time I fire up the named disposable based on that template, I should go straight to forum.qubes-os.org and already be logged in. Anything I do after that point should be lost with my browser history when I shut the disposable down, but in general, I can restart the disposable later and it will be as if I had just logged in to the site again.

And it mostly works. But for some reason on this site (and puri.sm which apparently uses the same software), if I come back a few hours later, or the next day…I have to log in again. Which means: Shutting down the disposable, starting the disposable template, logging in, shutting down the dvm template, and then going back to my disposable…which will then generally show me as logged in provided I remember to wait for the dvm template to shut down first before starting it. That’s an annoying little rodeo I have to go through roughly every day (though every once in a while I’m good for at least a week) for no apparent reason. Certainly if I visit this forum on other systems, ones where I’m just using a regular old browser in a regular old install of something that isn’t qubes, I don’t have this issue; my being logged in is remembered indefinitely.

There’s no consistency in the timing. It has usually kicked me off after about a day, but sometimes I can come back a week later, fire up the disposable, and I’m still logged in.

So what’s going on?

A website’s client-side state (cookies, localStorage etc.) isn’t necessarily immutable for the duration that you are logged in. For example, the website might periodically (every n seconds and/or every m requests) refresh a cookie, replacing it with a new value.

Since you’re not syncing back the latest state from the DisposableVM to the -dvm template, your next DisposableVM would then present an old version of the state that was already superseded in the previous DisposableVM’s browser instance.

I wouldn’t even count on merely having to re-login in this case: From the website’s POV it looks like an attacker has e.g. gained access to your backups, and in response the website might theoretically go as far as locking the account and redirecting you to some kind of recovery flow.

A safer approach would be not to persist the logged-in state but the login credentials (or to otherwise make it easy to pass persistent credentials to the DisposableVM, like Split Browser does).

Good points. Essentially, the site might update the cookie, but I lose the updates and revert to the prior cookie. That makes sense (as for proving it…well, I can think of some things to try).

Although I’ve been using Split Browser for bookmarks (as part of a combined arkenfox/split browser setup), I never did manage to get the login credentials to work on it. I don’t know precisely where it fails, just that the credentials never reach the browser.

Normally there should be some error message logged to the persistent side’s journal (or printed directly to the terminal, if split-browser was started from the CLI).

Bingo. Doing what OP is doing is incompatible with session management of most modern web sites which assume a linear state transition history on the part of their clients.