A “login loop” means your credentials or SSO already passed OpenAI’s authentication, but the browser can’t complete the session handshake. The cookie gets written, the next request can’t read it (or it’s overwritten, or a proxy strips it), so /api/auth/session returns empty and the UI bounces you back to /auth/login, or to a “Verify you are human” Cloudflare check that never finishes. The loop is almost always browser- or network-side, not bad credentials.
TL;DR
- The session your browser must keep is
__Secure-next-auth.session-tokenonchatgpt.com. If it never lands, you loop. Sessions last about 30 days, so a clean login should stick. - Fastest triage: open an Incognito/Private window and try once. Works there = your normal profile (cookies or an extension). Loops there too = network, clock, or a rotating VPN IP.
- Top causes as of June 2026: (1) leftover/corrupt OpenAI cookies, (2) a VPN or proxy that rotates the exit IP mid-flight or strips the HTTP
Referer, (3) a privacy extension blocking the auth callback, (4) a broken Sign in with Apple / Hide My Email relay if that’s how you signed up. - Note: Chrome does not block third-party cookies by default anymore (Google dropped that plan in 2025), but Safari and Firefox still do, and Chrome’s Incognito still does.
Which bucket are you in?
| What you see | Most likely bucket | Jump to |
|---|---|---|
Enter password, page flashes, back to /auth/login | Stale/corrupt cookies or cross-site blocking | Step 2, Step 4 |
| ”Verify you are human” Cloudflare check loops forever | Rotating VPN IP, blocked Referer, or wrong clock | Step 3, Step 6 |
| ”Continue with Apple” dumps you back, no error | Sign in with Apple / Hide My Email relay | Step 9 |
| Works in Incognito, loops in your normal profile | Extension or profile cookies | Step 2, Step 5 |
| Loops everywhere, every browser, even on phone | Account-side or OpenAI incident | Step 8 |
Common causes
1. Stale or corrupt OpenAI cookies
The single most common trigger. An old __Secure-next-auth.session-token from a previous account, or a half-written token from an interrupted login, makes the server reject or de-duplicate your new session and the in-memory state shows the wrong user.
How to judge: DevTools (F12) → Application → Cookies → chatgpt.com. After a login attempt, look for a missing, duplicate, or ancient-timestamp __Secure-next-auth.* entry.
2. VPN / residential proxy rotates exit IP each request
The fastest-growing cause in 2026, because it surfaces as the Cloudflare “Verify you are human” check looping rather than a clean login bounce. Cloudflare re-evaluates risk on each request; if the exit IP changes mid-challenge, the challenge never “persists” and you get re-checked forever. Rotating residential pools and high-density shared VPN IPs both trigger this; those addresses sit in a permanent low-trust state.
A second, less obvious VPN trigger: some clients strip the HTTP Referer header (PIA’s “Block HTTP referrer header” toggle is a documented offender). Cloudflare’s challenge expects a referrer on the callback; with it blanked, the check loops looking for a header it never gets. If your VPN has a privacy toggle for the referrer, turn it off for chatgpt.com.
How to judge: turn the VPN off and try again. Or refresh whatismyipaddress.com several times; a different IP each refresh means it’s rotating.
3. Third-party cookie blocking (browser-specific)
The session cookie set on auth.openai.com is read back on chatgpt.com. Browsers that block cross-site cookies can drop it. This is not universal anymore — it depends on the browser:
| Browser (June 2026) | Third-party cookies blocked by default? | Notes |
|---|---|---|
| Chrome (normal window) | No | Google cancelled the deprecation in 2025; controls live in Settings |
| Chrome Incognito | Yes | Blocked by default — a common “only loops in Incognito” cause |
| Safari | Yes | Intelligent Tracking Prevention is on by default |
| Firefox | Yes (Strict) | Enhanced Tracking Protection “Strict” blocks them; “Standard” usually doesn’t |
| Brave | Yes | Shields block cross-site cookies by default |
How to judge: DevTools → Application → Cookies → chatgpt.com right after login. If __Secure-next-auth.session-token is absent in Safari/Firefox-Strict/Brave but present in Chrome, cross-site blocking is your culprit.
4. Privacy extension blocks the auth callback
uBlock Origin (with the EasyPrivacy list), Privacy Badger, Ghostery, NoScript, and Brave Shields occasionally block auth.openai.com/u/login/callback or chatgpt.com/api/auth/callback/*.
How to judge: DevTools → Network → reproduce the login → look for the callback request showing (blocked:other) or net::ERR_BLOCKED_BY_CLIENT.
5. System clock skew of more than a few minutes
Signed cookies (JWT) carry iat / exp. If your local clock is more than ~5 minutes off, the cookie arrives “already expired,” and a wrong clock also breaks TLS validation so the Cloudflare challenge won’t stick.
How to judge: Mac → System Settings → General → Date & Time → “Set time automatically” should be ON.
6. Hosts file pinning chatgpt.com elsewhere
Rare but fatal. Some corporate or school setups point chatgpt.com at an internal proxy. The cookie is written against the proxy’s internal IP, and the public IP can’t read it.
How to judge: Terminal cat /etc/hosts | grep -i openai (Mac/Linux), or open C:\Windows\System32\drivers\etc\hosts (Windows).
7. Sign in with Apple / Hide My Email relay broke
Only relevant if you originally signed up with Continue with Apple and picked “Hide My Email.” Your account is tied to a relay address like abc123@privaterelay.appleid.com, not your real email. When the Apple token expires or the relay is disabled, “Continue with Apple” loads and silently dumps you back to the login screen with no error. Trying to log in with your personal email or a password reset instead opens a different, empty account, which deepens the confusion.
How to judge: the bounce happens specifically on the Continue with Apple path, and you remember choosing Hide My Email at signup. Check Apple ID settings for the forwarding state of that relay address.
Shortest path to fix
Do these in order. 90% resolve at Step 1 or 2.
Step 1: Triage with an Incognito window
Mac: Cmd + Shift + N (Chrome) / Cmd + Shift + N (Safari)
Win: Ctrl + Shift + N
Incognito works = cookies or an extension in your regular profile (continue Steps 2–4). Incognito also loops = network, clock, or system (jump to Steps 5–7).
Step 2: Nuke all OpenAI-domain cookies
DevTools (F12) → Application → Storage → Cookies, delete everything for:
chatgpt.com all
openai.com all
auth.openai.com all
auth0.openai.com all (if present)
Or use Settings → Privacy → “Clear browsing data,” scoped to chatgpt.com / openai.com. Then log in fresh.
Step 3: Disconnect VPN / proxy (do this early if Incognito also looped)
Try on your home network directly with no VPN. If login succeeds, the rotating exit IP was the trigger. If you must keep a VPN, switch to a dedicated static IP exit — never a rotating residential pool. Pausing the VPN for ~5 minutes before retrying gives Cloudflare time to re-evaluate your real IP.
Step 4: Allow cross-site cookies (Safari / Firefox / Brave)
Chrome: chrome://settings/cookies → "Allowed to use third-party cookies" → Add:
[*.]openai.com
[*.]chatgpt.com
Safari → uncheck “Prevent cross-site tracking.” Firefox → set Enhanced Tracking Protection to Standard (or add an exception). Brave → lower Shields for the site. Details: Cookies blocked login.
Step 5: Disable extensions one at a time
chrome://extensions → turn all off → log in → re-enable one by one
Incognito disables extensions by default, so if Incognito worked in Step 1, you already know an extension is the offender; re-enable them one at a time to find it. Usual suspects: uBlock Origin, Privacy Badger, Ghostery, Brave Shields, NoScript. Also check VPN browser extensions for a “block HTTP referrer” or “block tracking” toggle and turn it off for chatgpt.com (this specifically feeds the Cloudflare loop).
Step 6: Verify the system clock
Mac: Apple menu → System Settings → General → Date & Time → "Set time automatically" ON
Win: Settings → Time & language → Date & time → "Set time automatically" ON
Linux: timedatectl status (set with: sudo timedatectl set-ntp true)
Most likely to have drifted: just came off airplane mode, just crossed time zones, or a dual-boot machine.
Step 7: Check the hosts file
cat /etc/hosts | grep -iE 'openai|chatgpt'
Non-empty output means someone redirected the domain. Delete that line (needs sudo), then restart the browser.
Step 8: Still failing? Check OpenAI status
Open status.openai.com and find “ChatGPT” and “Authentication.” Anything not green is an OpenAI-side incident; wait it out rather than chasing local fixes.
Step 9: If you used “Continue with Apple,” stay on that path
Only relevant for Apple sign-ups. Keep using Continue with Apple with the same Apple ID you signed up with; do not switch to email + password or a password reset, which opens a different (empty) account. If “Continue with Apple” keeps bouncing:
iPhone: Settings → [your name] → Sign in with Apple → chat.openai.com / ChatGPT
macOS: System Settings → [your name] → Sign in with Apple → ChatGPT
Confirm the Hide My Email forwarding for that app is on. If it’s off or the relay was deleted, re-enable forwarding, then retry. If the relay is gone for good, contact OpenAI support from the email tied to the account rather than creating a new one.
How to confirm it’s fixed
After a clean login, verify the session actually persisted instead of just looking logged in:
- Open DevTools (F12) → Application → Cookies →
chatgpt.com. You should see a single__Secure-next-auth.session-tokenwith a future expiry (~30 days out),SecureandHttpOnlyflagged. - Visit
chatgpt.com/api/auth/sessiondirectly. A logged-in session returns a JSON object with youruseremail; an empty{}means the session still didn’t stick. - Hard-refresh (Cmd/Ctrl + Shift + R) and close/reopen the tab. If you stay logged in across a full reload, the handshake held.
Prevention
- One browser profile per ChatGPT account — don’t mix work and personal in the same profile.
- Swap accounts often? Use Chrome multi-profile or Firefox container tabs instead of clearing cookies each time.
- Pick a VPN with a dedicated static IP; rotating residential is the number-one loop trigger.
- Don’t set “clear cookies on quit” for
openai.com— you’ll re-trigger the loop next session. - Keep “set time automatically” on, and re-check it after travel or a dual-boot session.
- On corporate or school machines, confirm whether IT modified
hostsor installed a TLS proxy before chasing browser fixes.
FAQ
Why does ChatGPT keep sending me back to the login page after I sign in?
The credentials passed, but your browser never persisted the __Secure-next-auth.session-token cookie on chatgpt.com, so the next request looks logged-out. The usual causes are leftover/corrupt cookies, a privacy extension blocking the auth callback, or cross-site cookie blocking in Safari/Firefox-Strict/Brave. Clear OpenAI cookies and retry in Incognito first.
Is the “Verify you are human” Cloudflare loop the same problem?
It’s the same family. Cloudflare re-checks risk on every request, and a VPN or proxy that rotates its exit IP mid-challenge makes the check never stick, so it loops. Pause the VPN for about five minutes, reload, and it usually clears. A wrong system clock can also break the TLS validation behind the challenge.
Does clearing cookies log me out of my other devices?
No. Clearing cookies in one browser only ends the session in that browser. Your phone app and other browsers keep their own __Secure-next-auth.session-token, which lasts roughly 30 days before it needs a re-login.
I can log in on my phone but not my laptop — what’s different?
Your phone uses a different network (often cellular, with a clean IP) and a fresh app session, so it sidesteps a rotating-VPN IP, a desktop privacy extension, or a corrupt desktop cookie. That split confirms the problem is local to the laptop browser, not your account.
”Continue with Apple” loops but email login seems to work — which account is mine?
If you originally signed up with Sign in with Apple and chose Hide My Email, your real account is tied to an @privaterelay.appleid.com address, and only the Apple path reaches it. Logging in with your personal email opens a separate, empty account, which is why it “works” but shows none of your history or subscription. Stay on Continue with Apple with the same Apple ID, and make sure Hide My Email forwarding is on for ChatGPT.
Is a login loop ever a sign my account is banned or compromised?
Rarely. A ban or security hold shows a specific message (“Your account has been deactivated” or a verification email prompt), not a silent bounce. A silent loop is a session-handshake failure. If you also can’t log in from a clean device on a clean network, then check email for an OpenAI security notice.
Related reading
- ChatGPT login failed
- Cookies blocked causing login failure
- Session expired repeatedly
- Blank screen after login
- Login works in one browser only
External references: OpenAI status page · Google’s third-party cookie decision (Privacy Sandbox)
Tags: #ChatGPT #ChatGPT account #Troubleshooting #Debug #Login loop