Skip to content
DeployMonkey logo DeployMonkey
Back to Blog

Fix Odoo Session Expired and Timeout Errors: Keep Users Logged In

DeployMonkey Team · March 23, 2026 10 min read

The Session Timeout Problem

Users complain they keep getting logged out of Odoo, losing unsaved work. They are filling out a long form, switch to check an email, come back, and see "Session Expired" — all their input is gone. This is one of the most common user complaints in Odoo deployments.

What Users See

# Popup in Odoo:
"Session Expired"
"Your Odoo session expired. The current page is about to be refreshed."
[OK]

# Or browser redirects to /web/login unexpectedly

# Or AJAX requests fail with:
{"error": {"code": 100, "message": "Odoo Session Expired"}}

How Odoo Sessions Work

Odoo uses server-side sessions stored as files in the data_dir/sessions directory. A session cookie in the browser identifies the session. The session expires when:

  • The session file is too old (not accessed recently)
  • The cookie expires or is cleared
  • The session file is deleted (server cleanup)
  • The worker process that held the session restarted

Cause 1: Session Timeout Too Short

# Default session timeout is 7200 seconds (2 hours) of inactivity
# For users who work in Odoo all day, this may be too short

# Fix: Increase session timeout in odoo.conf
# Odoo 16+:
session_timeout = 86400   # 24 hours

# Odoo 15 and earlier — no direct config option
# Install the 'base_session_store_psql' module or similar
# Or modify the session gc interval

Cause 2: Session Files Cleaned Up

Old session files are periodically garbage collected. If the cleanup is too aggressive, active sessions get removed.

# Check session directory size:
ls -la /var/lib/odoo/.local/share/Odoo/sessions/ | wc -l
du -sh /var/lib/odoo/.local/share/Odoo/sessions/

# If session files are being deleted by cron or system cleanup:
# Check for cleanup scripts:
crontab -l | grep -i session
ls /etc/cron.d/ | grep -i odoo

# Fix: Ensure no external cleanup targets the sessions directory
# Only Odoo should manage its session files

Cause 3: Load Balancer Without Sticky Sessions

If Odoo runs behind a load balancer with multiple servers, requests must go to the same backend server (sticky sessions). Without this, the session is found on server A but the request goes to server B.

# nginx upstream with sticky sessions:
upstream odoo {
    ip_hash;  # Sticky sessions based on client IP
    server 10.0.0.1:8069;
    server 10.0.0.2:8069;
}

# Or use cookie-based stickiness (more reliable):
upstream odoo {
    server 10.0.0.1:8069;
    server 10.0.0.2:8069;
    sticky cookie srv_id expires=1h domain=.yourdomain.com path=/;
}

# Alternative: Use PostgreSQL session store
# All servers share the same session storage
pip install psycopg2
# Set in odoo.conf: session_store_type = db

Cause 4: Cookie Domain Mismatch

# If Odoo is accessed via different URLs (IP, hostname, FQDN),
# the session cookie may not match

# Example: User bookmarked http://192.168.1.100:8069
# but the cookie was set for odoo.company.com
# Result: session not found → login required

# Fix: Always use the same URL to access Odoo
# Redirect all alternative URLs to the canonical one in nginx:
server {
    listen 80;
    server_name 192.168.1.100 odoo.local;
    return 301 https://odoo.company.com$request_uri;
}

Cause 5: Worker Restarts

When Odoo workers restart (due to memory limits, code reload, or deployment), in-memory session references are lost. If sessions are stored on disk and the new worker reads them, this is transparent. But if the session file was corrupted or locked, the session is lost.

# Check worker restart frequency:
grep -c 'Worker\|Spawning\|killed' /var/log/odoo/odoo-server.log

# Fix: Increase memory limits to reduce worker restarts
limit_memory_soft = 2147483648
limit_memory_hard = 2684354560

# Fix: Use database-backed sessions for resilience
# Workers can share sessions via PostgreSQL

Cause 6: Reverse Proxy Not Passing Cookies

# nginx must pass cookies through to Odoo

# Check nginx config includes:
proxy_set_header Cookie $http_cookie;
proxy_pass_header Set-Cookie;

# Also ensure these headers are set:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

# If using Cloudflare or CDN:
# Ensure cookies are not being stripped or cached
# Cache rules should exclude /web/* and /xmlrpc/*

Cause 7: HTTPS Cookie Security

# If Odoo sets Secure cookies but some pages load over HTTP,
# the cookie is not sent for HTTP requests

# Fix: Ensure ALL traffic uses HTTPS
# Redirect HTTP to HTTPS in nginx:
server {
    listen 80;
    return 301 https://$host$request_uri;
}

# Set proxy_mode = True in odoo.conf to correctly detect HTTPS
proxy_mode = True

Cause 8: SameSite Cookie Policy

# Modern browsers enforce SameSite cookie policies
# If Odoo is embedded in an iframe or accessed cross-origin,
# cookies may be blocked

# Symptoms: Login works in a regular tab but not in an iframe

# Fix: Odoo 16+ sets SameSite=Lax by default
# For iframe/cross-origin use, you may need SameSite=None + Secure
# This requires a custom module or monkey-patch

Quick Fix Checklist

  1. Set session_timeout = 86400 in odoo.conf (24 hours)
  2. Ensure all users access Odoo via the same canonical URL
  3. Configure sticky sessions if using a load balancer
  4. Set proxy_mode = True if behind a reverse proxy
  5. Increase worker memory limits to reduce restarts
  6. Redirect all HTTP traffic to HTTPS
  7. Do not run external cleanup scripts on the sessions directory