From fe54fb61aabb2f39786a24f8fbf1fd98a8e42ce5 Mon Sep 17 00:00:00 2001
From: Timothy Jaeryang Baek <tim@openwebui.com>
Date: Sun, 28 Sep 2025 16:35:13 -0500
Subject: [PATCH] fix: session middleware should be required by default

---
 backend/open_webui/main.py | 55 +++++++++++++++++---------------------
 1 file changed, 25 insertions(+), 30 deletions(-)

diff --git a/backend/open_webui/main.py b/backend/open_webui/main.py
index 61a1639ee3..904399af14 100644
--- a/backend/open_webui/main.py
+++ b/backend/open_webui/main.py
@@ -1908,38 +1908,33 @@ if len(app.state.config.TOOL_SERVER_CONNECTIONS) > 0:
                     f"mcp:{server_id}", OAuthClientInformationFull(**oauth_client_info)
                 )
 
-
-# SessionMiddleware is used by authlib for oauth
-if len(OAUTH_PROVIDERS) > 0:
-    try:
-        if REDIS_URL:
-            redis_session_store = RedisStore(
-                url=REDIS_URL,
-                prefix=(
-                    f"{REDIS_KEY_PREFIX}:session:" if REDIS_KEY_PREFIX else "session:"
-                ),
-            )
-
-            app.add_middleware(SessionAutoloadMiddleware)
-            app.add_middleware(
-                StarSessionsMiddleware,
-                store=redis_session_store,
-                cookie_name="oui-session",
-                cookie_same_site=WEBUI_SESSION_COOKIE_SAME_SITE,
-                cookie_https_only=WEBUI_SESSION_COOKIE_SECURE,
-            )
-            log.info("Using Redis for session")
-        else:
-            raise ValueError("No Redis URL provided")
-    except Exception as e:
-        app.add_middleware(
-            SessionMiddleware,
-            secret_key=WEBUI_SECRET_KEY,
-            session_cookie="oui-session",
-            same_site=WEBUI_SESSION_COOKIE_SAME_SITE,
-            https_only=WEBUI_SESSION_COOKIE_SECURE,
+try:
+    if REDIS_URL:
+        redis_session_store = RedisStore(
+            url=REDIS_URL,
+            prefix=(f"{REDIS_KEY_PREFIX}:session:" if REDIS_KEY_PREFIX else "session:"),
         )
 
+        app.add_middleware(SessionAutoloadMiddleware)
+        app.add_middleware(
+            StarSessionsMiddleware,
+            store=redis_session_store,
+            cookie_name="owui-session",
+            cookie_same_site=WEBUI_SESSION_COOKIE_SAME_SITE,
+            cookie_https_only=WEBUI_SESSION_COOKIE_SECURE,
+        )
+        log.info("Using Redis for session")
+    else:
+        raise ValueError("No Redis URL provided")
+except Exception as e:
+    app.add_middleware(
+        SessionMiddleware,
+        secret_key=WEBUI_SECRET_KEY,
+        session_cookie="owui-session",
+        same_site=WEBUI_SESSION_COOKIE_SAME_SITE,
+        https_only=WEBUI_SESSION_COOKIE_SECURE,
+    )
+
 
 @app.get("/oauth/clients/{client_id}/authorize")
 async def oauth_client_authorize(