Does it make sense to deauthorize sessions (devices) from time to time?

clausimausi · May 28, 2025, 11:12am

Hello,
the list of deviceses which my account was logged in is long (20 entries), most of them from 2024 (web app → Settings → Security → Devices).
Does it make sense to clear it regulary (with “Deauthorize sessions” from the “Danger Zone”?) Is there a negative side effect beside I have to log (with Master Password and 2FA) in the apps? Is there a way to delete single entries without deleting all at once?
Greetings,
Claus

DenBesten · May 28, 2025, 12:41pm

There is not an ability to deauthorize individual entries. There is a Feature Request to add it, though. Go vote for it!

Absent an emergency, I would not deauthorize sessions without first creating an export (zip or json). But that is just paranoid me.

Nail1684 · May 28, 2025, 12:56pm

… and if you “deauthorize sessions”, then there is a current bug preventing not-currently-active-clients from getting deauthorized at the moment:

github.com/bitwarden/clients

Security Vulnerability: "Deauthorize Sessions" does not deauthorize all sessions

opened 06:58PM - 25 May 25 UTC

bwbug

bug web

### Steps To Reproduce 1. Log in to Desktop app and set the vault timeout actio…n to "Lock". 2. Close Desktop app. 3. Log in to Web Vault and **deauthorize all sessions**. 4. Open Desktop app. 5. Unlock the logged-in account in the Desktop app. 6. Sync vault in Desktop app. 7. Edit vault item in Desktop app, and save changes. 8. Wait at least 60 minutes. 9. If the Desktop app is locked, unlock it. 10. Sync vault in Desktop app. 11. Edit vault item in Desktop app, and save changes. 12. Log back in to Web Vault, and view the items that were edited in **Steps 7 & 11**. ### Expected Result The account that was logged in to the Desktop app should be automatically logged out, either at **Step 4**, **Step 5**, **Step 6**, **Step 7**, **Step 8**, **Step 9**, **Step 10**, or **Step 11**. In **Step 12**, no modifications to the items should be seen. ### Actual Result The account that was logged in to the Desktop app remains logged in and authorized indefinitely (through **Steps 4–11** and beyond). The changes made in **Steps 7 & 11** are synced to the Web Vault and to other devices. ### Screenshots or Videos _No response_ ### Additional Context The Desktop app used for testing was a portable Desktop app for Windows, version 20205.4.2. The deauthorized account _does_ become logged out when deauthorizing sessions if the Desktop app was _open_ (and either unlocked or locked) when deauthorization was initiated from the Web Vault. During testing, I also observed the following behaviors in the _browser extension_ (Chrome 2025.5.0), which I have _not_ been able to reproduce after the initial observation: * Under some conditions (which I have not been able to recreate), the logged-in browser extension also remains logged in after deauthorization from the Web Vault. * When logging back in to the browser extension after one of the deauthorization events that _successfully_ logged out the browser extension, and error message with wording similar to "attempt to use a disconnected port object" was seen (this happened only one time). At least two users have reported the same issue on the [Bitwarden Community Forum](https://community.bitwarden.com/t/the-deauthorize-session-option-does-not-log-out-of-bitwarden-desktop-when-it-is-not-running/85142). ### Operating System Windows ### Operating System Version Windows 11 ### Web Browser Chrome ### Browser Version _No response_ ### Build Version 2025.5.0 ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

And if I remember correctly, the last time I used “deauthorize sessions” I think the list of devices in the web vault didn’t get cleared by that.

Neuron5569 · May 28, 2025, 1:57pm

I think that is a list of devices that you have ever logged in, regardless if the session is still active or inactive (logged out).

Deauthorizing isn’t going to clear that list, because it includes inactive sessions.

On our side, clearing it would probably make sense including 1) account breach 2) malware infection 3) have throwaway clients that are not logged out 4) logged into another computer that you don’t have control (oops!). If BW is centrally breached, deauthorizing the sesions would make sense as well.

clausimausi · May 28, 2025, 3:14pm

Hmm, I see. Well, it is not clear what this list means. Why should it be important to me? I can not change it, I do not get further details about each entry.
It is even more confusing now, and something to get worried (many entries from 2024).
I know such lists form many other apps: this specific day you used this specific device to login. And it is possible to delete/remove these ones from the list (=deauthorize). But not here? Probably I missunderstand this list.

grb · May 28, 2025, 6:15pm

The device list is a relatively recent feature, and is not very useful in its current incarnation. It would be more useful if the “Login Status” column could at least indicate which of the many devices are currently logged in. The current implementation only shows the current Web Vault session, as well as any devices for which a “Login with Device” request is pending (and that seems to be the primary function of the list — to see if there are any pending “Login with Device” requests).

I always use Bitwarden in Incognito/Private browsers, so everytime that I log in, a new “device” is registered in the device list (as Bitwarden does not recognize devices after browser data have been cleared).