Deauthorize sessions and support

English is not my native language, I have used a translator to communicate with you. Thank you for your understanding.
I have a subscription with Bitwarden. I know that it is not a big deal those 10 $ a year but for me it does count pq well my personal situation is not good. Let’s leave it there. I don’t want to be sorry.

I have recently experienced a problem that I want to share with you. I have several sessions open and from time to time I hit the Unauthorize sessions button. The problem is that it does not come out of all the sessions. Many remain open as if the Deauthorize button did not work.
I have mitigated this by changing the password and rotating the account encryption. This forces you to put the new password even if the session is still started.
I have spoken with Supporte, with a man of whom I will not say the name, but he has asked me for a video of what I do ???
Really??? A video of how I press a button in my web trunk ?? It seems to me that he is not from Bitwarden support and I am talking to someone who wants to hack my account (good luck what you are going to find) or has so much work that he has not thought about what he said.
I really don’t need the premium but in my humble situation I wanted to help open source even if my contribution was modest.
What do you think of this? Thank you for reading me and in advance I appreciate the answers.
P.S. At first I asked for my money back but then I let it be. I think I should support to the best of my ability.

@Oneofseven_Kwai_Chan Welcome to the forum!

To avoid misunderstanding, I should clarify that this is a community forum of Bitwarden users and Bitwarden customers, and that I am responding as a fellow customer (I am not a Bitwarden employee or official representative).

I believe that it is normal for the effect of the “Deauthorize Sessions” to be delayed (for up to one hour) in some cases, especially if your internet connection is not reliable.

However, I don’t understand the reason why you wish to deauthorize your open sessions “from time to time”. This is not a normal way to use Bitwarden, even for a user who is very concerned about security. The more conventional way to secure your logged in sessions is to customize the settings of your Bitwarden apps and browser extensions, and to set the Vault Timeout to a short interval — this ensures that your vault is automatically locked when the app is not actively used.

If you spoke with somebody by telephone or in person, then it may indeed have been an impostor. Bitwarden normally provides support only via email (from <[email protected]>).

To contact Bitwarden’s customer support either use the submission form available by clciking the Contact Support button on this page, or simply send an email to the support email address given above. If you have multiple email addresses, please use the email that matches your Bitwarden username when you contact support.

If you contact Bitwarden’s customer support using one of the methods I described above, then you can request a refund of your Premium subscription within 30 days of subscribing.

Thanks for the answer. It may not be a normal way to use the application according to you. But using it like that shouldn’t be a reason it doesn’t work either. If there is a button to Unauthorize all sessions, I don’t have to use it ??. You have a car with the centralized keychain that closes all the doors of it and you will not use it because you think it is better to close them one by one ??
Nor is it that you use Deauthorize every day or every month. I use it once, maybe every 6 months. But if I have the possibility to use a button like Deauthorize I don’t have to use it because … ???
Blocking the session after inactivity comes by default in the application. What I have done now is that instead of blocking the session when it is not used, it is that you close the session.

Of course it is not immediate but it has to happen at some point, right?
More than 7 days ago and some sessions were still active. How much longer do I have to wait?

I appreciate your contribution but I have already contacted support as I explain before in my post. Returning the money I have already discarded as I have also explained. I just want to know if apart from what I have explained to people you can think of anything else you can try to solve my problem. Thank you.

This button is available for use in emergency situations when you believe that your Bitwarden account has been compromised. It is not intended for routine use.

No, the default setting is to lock the apps/extensions on restart. It is recommended to change the default “Vault Timeout” interval to a short time period (5–15 min).

No. If you use “Deauthorize Sessions”, that does not close the app. It merely causes the user to be logged out.

You can achieve the same result in a more reliable way by setting the “Vault Timeout Action” to “Log out” instead of “Lock”.

Something is wrong with your set-up. If you insist of using this method of yours, we’d have to do some additional troubleshooting to find out why your apps are not communicating with the server.

Good good…So everything I do is wrong. It is not like this? Thank you for your comments that in case you ask yourself they have not been useful to me.
You have also ignored the request for support to make a video of what I do. Isn’t this strange? Make a video of me accessing my safe to press the unauthorized button? For you this is normal?
Is there anyone else please?

Yeah, and I agree with @grb . Under normal circumstances, you seldom even log in to the web vault and do the most “stuff” with the browser extensions on a computer (or the mobile app on mobile devices).

PS: The web vault is mostly used for administrative things, bulk operations, changing general settings like 2FA for the Bitwarden account, import/export (though the other clients can do the latter as well now) etc.

PPS: And the “deauthorize sessions” button is more or less only for emergency situations, like one of your devices got stolen. Or if you want to reset a “remember me” for 2FA of one or more clients.

Not that I can do much with here as (as only another Bitwarden customer)… but did you contact support via the regarding page (Get in Touch | Bitwarden) or via email to/from <[email protected]>?

Will you be kind enough to teach me where in the help of bitwarden or elsewhere is this written?.
If you are in an emergency, as you say, and I have to use, as you say, the button to disavow sessions and it doesn’t work what happens ?? Will you take charge of what happens ??
You will help me recover my accounts because someone has accessed my safe and despite using that button, only for emergencies according to you, they have not been thrown out of the session.
Then I can come to your house and say it loud and strong. Because I followed your advice and @grb and it doesn’t work.
I don’t care if it’s for emergencies or not. It does not work for me. It does not work.
If you want to blame me like @grb does ahead. But that something doesn’t work over which I have no control I don’t see how it can be my fault.
I ask again: Does anyone else think of how to help me?

The 2FA/“remember me” part is written here: Two-step Login FAQs | Bitwarden Help Center

For the other part: unfortunately, that is nowhere written. I agree, it would be good, if there was more info in the help sites about the “deauthorize all sessions” button. But while we are at it: please show me, where it is written, that you have to use that button regularly? Or that it is necessary for “basic security” to use that deauthorization button/order?

Just a sanity check: those devices that were not “thrown out of the session” were connected to the internet, right? Because the server must be able to send this order to the device for this to take action.

I guess, @grb already offered you his help, by investigating further - if those meant devices are connected to the internet - why they don’t get this deauthorization order/request. (my spontaneous speculation would be: network problems or certain conditions that hinder that? or “corrupt” installation of the Bitwarden apps? - BTW are they up-to-date?)

Okay, you are angry. Point taken. But this is a customer forum. We may be able to help you - but we are not responsible for your actions or consequences.

And we are not responsible for the code of the apps here… BTW, if this really is a bug, fully connected and functioning (and up-to-date) Bitwarden apps not getting the deauthorization order, then you also should ponder to submit a bug report on GitHub: for all clients (with exception of the mobile apps): Issues · bitwarden/clients · GitHub)

PS: You still didn’t answer that:

I don’t think any off us understand what you mean by “come out of all sessions”. I suspect that this due to an incomplete/incorrect translation and that the support person was probably asking for video/pictures to better understand what you are seeing.

I happen to agree that “deauthorize sessions” should return all of your vault copies to a logged out state. However, for this to work properly, there are a few prerequisites:

First, the clients (phone, pc, etc) each need to be able to check-in with the server (vault.bitwarden.com) to learn that the button has been pressed. Amongst other things, this requires a working Internet connection.

Second, the clients and the server need to be of compatible versions.

Third, the client needs to know to check-in. This is supposed to happen automatically “every once in a while”, but can fail if, for example, your device is in power-saving mode or if background-processing has been disabled. In testing, you can force a check in by editing and saving a vault entry on your phone. If the phone-vault errors-out, the session was indeed terminated and you should no longer be able to access the vault on that device. This works because edits immediately initiate a synchronization with the server.

Here is the precise message that describes the scenarios for which Deauthorize Sessions is intended. Perhaps it is different in your language, but in English there is no suggestion that it is for routine use.

image501×507 28.5 KB

I hope this is a mis-understanding. There is nothing wrong with using both deauthorize and timeout, but the translator made it sound like you are using deauthorize sessions and not using vault timeout. Doing that would be less secure because deauthorize only happens manually, whereas timeout happens automatically.

@grb was suggesting that you should additionally use vault timeout actions, which are described in this help article: Vault Timeout Options | Bitwarden . It is these timeout-options that should be “routinely used” to keep your vault secure, since they happen automatically. I personally would not set it to anything longer than “On restart” and for phones I would not go above an hour.

image500×469 16.3 KB

Also, just like @grb and @Nail1684, I am NOT a bitwarden employee. All three of us are just a paying customers, like you, who want to help other customers get the most they can out of a product we like.

@grb, feel free to correct me if I misstated your position.

I don’t know why you are so defensive and angry, when I have certainly not stated anything like that.

I did not ignore it, but perhaps you didn’t read (or didn’t understand) the part of my response where I addressed the concern you had with this interaction.

I see no evidence that you have followed any advice that I’ve given, nor any evidence that it “doesn’t work”.

I have not blamed you for anything — please refrain from making such unfounded accusations. As a forum moderator, I strongly advise you to please review the Community Guidelines before posting any further comments in this thread.

If you want help, then you need to actually provide some information and evidence that would allow experienced Bitwarden users to help you, instead of lashing out at those users.

Personally, I am no longer interested in assisting with this case, but @Nail1684 and @DenBesten are both more than capable of troubleshooting, should they choose to continue engaging with you.

Best regards:

First of all, I would like to thank @denbesten for a different approach to the problem than the other two users who have responded to my post.
I’m just a “premium” user who has clicked a “Deauthorize Sessions” . It’s that option or button that I pressed twice.
What I see that is not well understood is that I cannot be blamed for using an option, even if it is an emergency according to some, and that does not work.
Using the vehicle analogy:
I can’t use the hazard lights because it’s not an emergency? And if when there is an emergency I use them and they don’t work, what will happen??
Last thought: Let’s say that I am a user, an investigative journalist by profession and I am in danger, I need to disavow the session of my computer that I cannot access and I have to do it from an internet café remotely. It will be closed ?? Or will I end up in garbage bags?
Thank you.

Nobody is “blaming” anybody. One thing to know is that in English, blaming or accusing someone of blaming is mildly rude. You may be using an “innocent” word in your native language, but the translator is changing it to something that is not.

I think everyone understands that you want deauthorization to be immediate. Everyone has that same desire. Fact is, though, that it is not. We can tell you why it is not and we can offer you alternatives to help work around the limitation of it not being immediate. However, we can not make it immediate because doing so depends on too many things outside our (and everyone’s – including the programmer’s) control.

To use one of your analogies, deauthorization is more like a road-flare. You need to stop the car, get them out of the trunk, light them and walk back 100 paces to properly warn oncoming traffic. Each of these items takes time and there are places where any of them could fail, such as your matches being wet. Despite these limitations, road-flares have value because they work even if your battery dies.

Timeout is more like brake lights. They come on automatically. Because of this, I know to slow down when I see lots of brake lights ahead. Hazard flashers don’t help nearly as much because I need to depend on others doing the “right thing”.

The one good thing you should take away from this is that since you tested “deauthorize”, you now know its limits and you now know that it alone is not enough.