Copilot authentication invalidates main app session when using same domain (Chainlit 2.9.2, Python 3.12)

[vivekjainmaiet]

I am using Chainlit 2.9.2 with Python 3.12, deploying a single Chainlit application that serves:
1. A main Chainlit chat UI, and
2. Chainlit Copilot, embedded on multiple external websites.

Both the main app and Copilot use the same Chainlit backend domain (e.g. https://chat.example.org).

When Copilot authenticates using accessToken, the main Chainlit app disconnects (WebSocket closes). This happens even when:
• the same browser is used
• the same logged-in user identity is used
• only one Chainlit deployment exists

Environment
• Chainlit: 2.9.2
• Python: 3.12
• Deployment: Kubernetes
• Exposure: Service type LoadBalancer
• TLS termination: on Chainlit pod
• Domain: single domain (no subdomains available)
• Copilot: embedded on multiple external websites

Copilot embed example

<script src="https://chat.example.org/copilot/index.js"></script> <script> window.mountChainlitWidget({ chainlitServer: "https://chat.example.org", }); </script>

Observed behavior
• When Copilot initializes and authenticates, Chainlit sets or refreshes its auth cookie.
• This causes the existing WebSocket session of the main app to become invalid.
• The main app UI disconnects immediately after Copilot authentication.

Expected behavior
• Authenticating Copilot for the same user should not invalidate or disconnect an existing main app session.
• Ideally, the main Chainlit UI and Copilot should be able to coexist on the same domain without interfering with each other’s sessions.

Suspected root cause
• Chainlit v2 uses cookie-based authentication.
• Copilot authentication refreshes or replaces the auth cookie on the same origin.
• Existing WebSocket connections appear to be tied to the previous cookie/session and are closed when it changes.

Constraints
• Cannot use multiple domains or subdomains.
• Prefer not to run a separate backend per website.
• Currently using a single Chainlit deployment to serve both UI and Copilot.

Questions
1. Is it expected that re-authentication (even for the same user) invalidates existing WebSocket sessions?
2. Is there a recommended way to run Chainlit UI and Copilot on the same domain without session conflicts?
3. Is CHAINLIT_COOKIE_PATH intended only for isolating separate app mounts, or can it help within a single app instance?
4. Would it be feasible to make Copilot auth idempotent for the same user (i.e., avoid rotating cookies if identity hasn’t changed)?

Any guidance or recommended architecture would be appreciated.

[dosubot]

Yes, in Chainlit 2.9.2, re-authenticating (even as the same user) will invalidate existing WebSocket sessions because the authentication cookie is replaced, and active sessions tied to the old cookie are disconnected. This is expected behavior due to how cookie-based authentication and session validation work in Chainlit reference reference.

There is currently no built-in way to fully isolate sessions for different frontends (main UI vs Copilot) on the same domain within a single Chainlit deployment. The cookie path is hardcoded to / and cannot be changed via environment variables, so cookies are always sent to all sub-paths. The only supported isolation is by setting a unique CHAINLIT_AUTH_COOKIE_NAME for each app, but since you have a single deployment serving both UI and Copilot, this does not help reference.

CHAINLIT_COOKIE_PATH is not available as a configuration option; only the cookie name and SameSite attributes are configurable. Setting CHAINLIT_ROOT_PATH helps with routing but does not affect cookie scope or session isolation.

Making Copilot authentication idempotent (so it doesn't rotate the cookie if the user identity hasn't changed) is not currently supported out of the box. The Copilot flow always refreshes the auth cookie, which will disconnect any existing sessions using the previous cookie.

Given your constraints (single domain, single backend), there is no robust workaround to prevent session conflicts between the main UI and Copilot. The only way to achieve true isolation would be to run separate backend instances (which you prefer to avoid) or wait for a future Chainlit update that allows cookie path configuration or more granular session management.

For now, be aware that authenticating from Copilot will always disrupt the main UI session in the same browser context. If this is a blocker, consider isolating usage to separate browsers or incognito sessions as a temporary workaround reference.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[github-actions]

This issue is stale because it has been open for 14 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 7 days since being marked as stale.