Bubble automatically manages user sessions through the Current User object, which is available on every page and updates when users log in or out. You can detect login state with conditions, redirect unauthenticated users, handle session persistence across tabs, and implement custom logout flows. This tutorial covers the full session lifecycle from login detection to cross-tab behavior.
Overview: User Sessions in Bubble
This tutorial explains how Bubble manages user sessions behind the scenes and how to work with them in your app. You will learn about the Current User data source, how to protect pages from unauthenticated access, how to build proper logout flows, and how sessions persist across page refreshes and multiple tabs.
Prerequisites
- A Bubble app with user sign-up and login set up
- At least one page that should only be accessible to logged-in users
- Basic understanding of Bubble workflows and conditions
Step-by-step guide
Understand the Current User object
Understand the Current User object
In Bubble, every page has access to a built-in data source called 'Current User'. When someone logs in, Current User points to their User record in the database. When no one is logged in, Current User is empty. You can access any field on the User data type through Current User — for example, 'Current User's email' or 'Current User's name'. This object is available in dynamic expressions, conditions, and workflows on every page without any setup.
Pro tip: Current User is automatically available everywhere — you never need to pass it between pages or store it in a custom state.
Expected result: You understand that Current User is Bubble's built-in session reference, available on every page for the logged-in user.
Detect login state and redirect unauthenticated users
Detect login state and redirect unauthenticated users
To protect a page from unauthenticated access, add a 'Page is loaded' workflow event. Add the condition 'Only when Current User is logged out'. As the action, choose 'Go to page' and select your login page. This redirects anyone who is not logged in. For the reverse (redirecting logged-in users away from the login page), add a similar workflow with 'Only when Current User is logged in' redirecting to the dashboard. You can also use the 'User login status changes' event to catch users whose sessions expire while on a page.
Expected result: Protected pages redirect unauthenticated users to login, and the login page redirects authenticated users to the dashboard.
Display user-specific content using Current User
Display user-specific content using Current User
Use Current User in dynamic expressions to personalize content. For a welcome message, set a text element's content to 'Welcome, Current User's first_name'. For showing only the user's own data, add a constraint in your searches: 'Do a search for Orders where creator = Current User'. In Repeating Groups, this constraint ensures users only see their own records. Combine this with Privacy Rules (Data tab → Privacy) for server-side security.
Expected result: Pages display personalized content and data filtered to the current logged-in user.
Implement a proper logout workflow
Implement a proper logout workflow
Add a 'Log out' button to your navigation. Create a workflow on the button click with two steps: Step 1 — 'Log the user out' (Account action). Step 2 — 'Go to page' targeting your login or landing page. The logout action clears the session token from the browser, and Current User becomes empty immediately. Any page that checks for Current User being logged in will now redirect to login.
Pro tip: Always redirect after logging out. If you do not, the user remains on a page that may show errors because Current User is now empty.
Expected result: Clicking the logout button clears the session, redirects to the login page, and Current User is empty.
Handle sessions across multiple browser tabs
Handle sessions across multiple browser tabs
Bubble sessions are shared across all tabs in the same browser. If a user logs out in one tab, they are logged out in all tabs. However, the other tabs will not automatically redirect — they still show the page until it refreshes or a 'User login status changes' event fires. To handle this, add a 'User login status changes' workflow on protected pages that redirects to login when the user becomes logged out. This catches cross-tab logout scenarios.
Expected result: When a user logs out in one tab, other tabs detect the change and redirect to the login page.
Set up session timeout behavior
Set up session timeout behavior
Bubble sessions persist indefinitely by default — users stay logged in even after closing the browser. To implement a session timeout, use a 'Do when condition is true' workflow that checks if the user has been inactive for a set period. Store the 'last activity' timestamp in a custom state, update it on page interactions, and compare it to Current date/time. When the difference exceeds your timeout (e.g., 30 minutes), trigger the 'Log the user out' action and redirect to login.
Expected result: Users are automatically logged out after a defined period of inactivity.
Complete working example
1USER SESSION MANAGEMENT — WORKFLOW SUMMARY2=============================================34PROTECTED PAGE REDIRECT:5 Event: Page is loaded6 Condition: Only when Current User is logged out7 Action: Go to page → login89LOGIN PAGE REDIRECT:10 Event: Page is loaded11 Condition: Only when Current User is logged in12 Action: Go to page → dashboard1314CROSS-TAB LOGOUT DETECTION:15 Event: User login status changes16 Condition: Only when Current User is logged out17 Action: Go to page → login1819LOGOUT WORKFLOW:20 Event: Button Log Out is clicked21 Step 1: Log the user out22 Step 2: Go to page → login2324SESSION TIMEOUT (optional):25 Custom state: page → last_activity (date)26 Update on any user interaction27 Event: Do when condition is true28 Condition: Current date/time - last_activity > 30 min29 Actions:30 Step 1: Log the user out31 Step 2: Go to page → login3233PERSONALIZED CONTENT:34 Text: 'Welcome, Current User's first_name'35 Search: Do a search for [Type] where creator = Current User36 Privacy Rules: enforce server-side in Data → PrivacyCommon mistakes when managing User Sessions in Bubble
Why it's a problem: Not redirecting after logging the user out
How to avoid: Always add a 'Go to page' action immediately after 'Log the user out' in your logout workflow
Why it's a problem: Relying only on client-side redirects for page protection
How to avoid: Always set up Privacy Rules in Data tab → Privacy to control data access server-side, in addition to page redirects
Why it's a problem: Not handling the 'User login status changes' event
How to avoid: Add a 'User login status changes' workflow on every protected page that redirects when the user becomes logged out
Best practices
- Add a 'Page is loaded' redirect on every protected page, not just the main dashboard
- Use the 'User login status changes' event for cross-tab session handling
- Always redirect immediately after logging out to prevent broken page states
- Combine client-side redirects with server-side Privacy Rules for true security
- Use Current User's fields directly in dynamic expressions instead of searching for the user
- Consider session timeouts for apps handling sensitive data like finances or health information
- Test session behavior by opening your app in multiple tabs and logging out in one
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I'm building a Bubble.io app and need to protect certain pages so only logged-in users can access them. I also want to handle session timeouts after 30 minutes of inactivity. What workflows do I need?
Set up session management for my app. Redirect non-logged-in users from the dashboard to the login page. Add a logout button in the header. Make sure logging out in one tab works across all open tabs.
Frequently asked questions
How long does a Bubble session last by default?
Bubble sessions persist indefinitely by default. Users stay logged in even after closing the browser unless you explicitly log them out or implement a session timeout.
Can I detect which device or browser a user is logged in from?
Bubble does not natively track device or browser information. You would need to capture the user agent string via a plugin and store it in the database.
Is Current User available in backend workflows?
No. Backend workflows run server-side without a logged-in user context. You must pass the user's Unique ID as a parameter and search for the User in the workflow.
Can I force a user to log in on only one device at a time?
Not natively. You can implement this by storing a session token on the User record, updating it on each login, and checking it on page load — logging out if the token does not match.
Can RapidDev help build secure session management for my Bubble app?
Yes. RapidDev can implement complete session management including timeouts, single-device enforcement, role-based page access, and cross-tab synchronization.
Do Privacy Rules replace the need for page-level redirects?
Privacy Rules protect data access but do not prevent users from viewing page layouts. You need both: Privacy Rules for data security and page redirects for UX.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation