ChatGPT Login Loop — Signed In, Bounced Back to Login (2026 Fix)

Credentials and SSO succeed but the page bounces back to login or the Cloudflare check. 90% of the time it's cookies, a rotating VPN IP, or a stale session. Here's the exact order to fix it.

A “login loop” means your credentials or SSO already passed OpenAI’s authentication, but the browser can’t complete the session handshake. The cookie gets written, the next request can’t read it (or it’s overwritten, or a proxy strips it), so /api/auth/session returns empty and the UI bounces you back to /auth/login, or to a “Verify you are human” Cloudflare check that never finishes. The loop is almost always browser- or network-side, not bad credentials.

TL;DR

  • The session your browser must keep is __Secure-next-auth.session-token on chatgpt.com. If it never lands, you loop. Sessions last about 30 days, so a clean login should stick.
  • Fastest triage: open an Incognito/Private window and try once. Works there = your normal profile (cookies or an extension). Loops there too = network, clock, or a rotating VPN IP.
  • Top causes as of June 2026: (1) leftover/corrupt OpenAI cookies, (2) a VPN or proxy that rotates the exit IP mid-flight or strips the HTTP Referer, (3) a privacy extension blocking the auth callback, (4) a broken Sign in with Apple / Hide My Email relay if that’s how you signed up.
  • Note: Chrome does not block third-party cookies by default anymore (Google dropped that plan in 2025), but Safari and Firefox still do, and Chrome’s Incognito still does.

Which bucket are you in?

What you seeMost likely bucketJump to
Enter password, page flashes, back to /auth/loginStale/corrupt cookies or cross-site blockingStep 2, Step 4
”Verify you are human” Cloudflare check loops foreverRotating VPN IP, blocked Referer, or wrong clockStep 3, Step 6
”Continue with Apple” dumps you back, no errorSign in with Apple / Hide My Email relayStep 9
Works in Incognito, loops in your normal profileExtension or profile cookiesStep 2, Step 5
Loops everywhere, every browser, even on phoneAccount-side or OpenAI incidentStep 8

Common causes

1. Stale or corrupt OpenAI cookies

The single most common trigger. An old __Secure-next-auth.session-token from a previous account, or a half-written token from an interrupted login, makes the server reject or de-duplicate your new session and the in-memory state shows the wrong user.

How to judge: DevTools (F12) → Application → Cookies → chatgpt.com. After a login attempt, look for a missing, duplicate, or ancient-timestamp __Secure-next-auth.* entry.

2. VPN / residential proxy rotates exit IP each request

The fastest-growing cause in 2026, because it surfaces as the Cloudflare “Verify you are human” check looping rather than a clean login bounce. Cloudflare re-evaluates risk on each request; if the exit IP changes mid-challenge, the challenge never “persists” and you get re-checked forever. Rotating residential pools and high-density shared VPN IPs both trigger this; those addresses sit in a permanent low-trust state.

A second, less obvious VPN trigger: some clients strip the HTTP Referer header (PIA’s “Block HTTP referrer header” toggle is a documented offender). Cloudflare’s challenge expects a referrer on the callback; with it blanked, the check loops looking for a header it never gets. If your VPN has a privacy toggle for the referrer, turn it off for chatgpt.com.

How to judge: turn the VPN off and try again. Or refresh whatismyipaddress.com several times; a different IP each refresh means it’s rotating.

The session cookie set on auth.openai.com is read back on chatgpt.com. Browsers that block cross-site cookies can drop it. This is not universal anymore — it depends on the browser:

Browser (June 2026)Third-party cookies blocked by default?Notes
Chrome (normal window)NoGoogle cancelled the deprecation in 2025; controls live in Settings
Chrome IncognitoYesBlocked by default — a common “only loops in Incognito” cause
SafariYesIntelligent Tracking Prevention is on by default
FirefoxYes (Strict)Enhanced Tracking Protection “Strict” blocks them; “Standard” usually doesn’t
BraveYesShields block cross-site cookies by default

How to judge: DevTools → Application → Cookies → chatgpt.com right after login. If __Secure-next-auth.session-token is absent in Safari/Firefox-Strict/Brave but present in Chrome, cross-site blocking is your culprit.

4. Privacy extension blocks the auth callback

uBlock Origin (with the EasyPrivacy list), Privacy Badger, Ghostery, NoScript, and Brave Shields occasionally block auth.openai.com/u/login/callback or chatgpt.com/api/auth/callback/*.

How to judge: DevTools → Network → reproduce the login → look for the callback request showing (blocked:other) or net::ERR_BLOCKED_BY_CLIENT.

5. System clock skew of more than a few minutes

Signed cookies (JWT) carry iat / exp. If your local clock is more than ~5 minutes off, the cookie arrives “already expired,” and a wrong clock also breaks TLS validation so the Cloudflare challenge won’t stick.

How to judge: Mac → System Settings → General → Date & Time → “Set time automatically” should be ON.

6. Hosts file pinning chatgpt.com elsewhere

Rare but fatal. Some corporate or school setups point chatgpt.com at an internal proxy. The cookie is written against the proxy’s internal IP, and the public IP can’t read it.

How to judge: Terminal cat /etc/hosts | grep -i openai (Mac/Linux), or open C:\Windows\System32\drivers\etc\hosts (Windows).

7. Sign in with Apple / Hide My Email relay broke

Only relevant if you originally signed up with Continue with Apple and picked “Hide My Email.” Your account is tied to a relay address like abc123@privaterelay.appleid.com, not your real email. When the Apple token expires or the relay is disabled, “Continue with Apple” loads and silently dumps you back to the login screen with no error. Trying to log in with your personal email or a password reset instead opens a different, empty account, which deepens the confusion.

How to judge: the bounce happens specifically on the Continue with Apple path, and you remember choosing Hide My Email at signup. Check Apple ID settings for the forwarding state of that relay address.

Shortest path to fix

Do these in order. 90% resolve at Step 1 or 2.

Step 1: Triage with an Incognito window

Mac:   Cmd + Shift + N (Chrome) / Cmd + Shift + N (Safari)
Win:   Ctrl + Shift + N

Incognito works = cookies or an extension in your regular profile (continue Steps 2–4). Incognito also loops = network, clock, or system (jump to Steps 5–7).

Step 2: Nuke all OpenAI-domain cookies

DevTools (F12) → Application → Storage → Cookies, delete everything for:

chatgpt.com         all
openai.com          all
auth.openai.com     all
auth0.openai.com    all (if present)

Or use Settings → Privacy → “Clear browsing data,” scoped to chatgpt.com / openai.com. Then log in fresh.

Step 3: Disconnect VPN / proxy (do this early if Incognito also looped)

Try on your home network directly with no VPN. If login succeeds, the rotating exit IP was the trigger. If you must keep a VPN, switch to a dedicated static IP exit — never a rotating residential pool. Pausing the VPN for ~5 minutes before retrying gives Cloudflare time to re-evaluate your real IP.

Step 4: Allow cross-site cookies (Safari / Firefox / Brave)

Chrome:  chrome://settings/cookies → "Allowed to use third-party cookies" → Add:
         [*.]openai.com
         [*.]chatgpt.com

Safari → uncheck “Prevent cross-site tracking.” Firefox → set Enhanced Tracking Protection to Standard (or add an exception). Brave → lower Shields for the site. Details: Cookies blocked login.

Step 5: Disable extensions one at a time

chrome://extensions → turn all off → log in → re-enable one by one

Incognito disables extensions by default, so if Incognito worked in Step 1, you already know an extension is the offender; re-enable them one at a time to find it. Usual suspects: uBlock Origin, Privacy Badger, Ghostery, Brave Shields, NoScript. Also check VPN browser extensions for a “block HTTP referrer” or “block tracking” toggle and turn it off for chatgpt.com (this specifically feeds the Cloudflare loop).

Step 6: Verify the system clock

Mac:   Apple menu → System Settings → General → Date & Time → "Set time automatically" ON
Win:   Settings → Time & language → Date & time → "Set time automatically" ON
Linux: timedatectl status   (set with: sudo timedatectl set-ntp true)

Most likely to have drifted: just came off airplane mode, just crossed time zones, or a dual-boot machine.

Step 7: Check the hosts file

cat /etc/hosts | grep -iE 'openai|chatgpt'

Non-empty output means someone redirected the domain. Delete that line (needs sudo), then restart the browser.

Step 8: Still failing? Check OpenAI status

Open status.openai.com and find “ChatGPT” and “Authentication.” Anything not green is an OpenAI-side incident; wait it out rather than chasing local fixes.

Step 9: If you used “Continue with Apple,” stay on that path

Only relevant for Apple sign-ups. Keep using Continue with Apple with the same Apple ID you signed up with; do not switch to email + password or a password reset, which opens a different (empty) account. If “Continue with Apple” keeps bouncing:

iPhone:  Settings → [your name] → Sign in with Apple → chat.openai.com / ChatGPT
macOS:   System Settings → [your name] → Sign in with Apple → ChatGPT

Confirm the Hide My Email forwarding for that app is on. If it’s off or the relay was deleted, re-enable forwarding, then retry. If the relay is gone for good, contact OpenAI support from the email tied to the account rather than creating a new one.

How to confirm it’s fixed

After a clean login, verify the session actually persisted instead of just looking logged in:

  1. Open DevTools (F12) → Application → Cookies → chatgpt.com. You should see a single __Secure-next-auth.session-token with a future expiry (~30 days out), Secure and HttpOnly flagged.
  2. Visit chatgpt.com/api/auth/session directly. A logged-in session returns a JSON object with your user email; an empty {} means the session still didn’t stick.
  3. Hard-refresh (Cmd/Ctrl + Shift + R) and close/reopen the tab. If you stay logged in across a full reload, the handshake held.

Prevention

  • One browser profile per ChatGPT account — don’t mix work and personal in the same profile.
  • Swap accounts often? Use Chrome multi-profile or Firefox container tabs instead of clearing cookies each time.
  • Pick a VPN with a dedicated static IP; rotating residential is the number-one loop trigger.
  • Don’t set “clear cookies on quit” for openai.com — you’ll re-trigger the loop next session.
  • Keep “set time automatically” on, and re-check it after travel or a dual-boot session.
  • On corporate or school machines, confirm whether IT modified hosts or installed a TLS proxy before chasing browser fixes.

FAQ

Why does ChatGPT keep sending me back to the login page after I sign in?

The credentials passed, but your browser never persisted the __Secure-next-auth.session-token cookie on chatgpt.com, so the next request looks logged-out. The usual causes are leftover/corrupt cookies, a privacy extension blocking the auth callback, or cross-site cookie blocking in Safari/Firefox-Strict/Brave. Clear OpenAI cookies and retry in Incognito first.

Is the “Verify you are human” Cloudflare loop the same problem?

It’s the same family. Cloudflare re-checks risk on every request, and a VPN or proxy that rotates its exit IP mid-challenge makes the check never stick, so it loops. Pause the VPN for about five minutes, reload, and it usually clears. A wrong system clock can also break the TLS validation behind the challenge.

Does clearing cookies log me out of my other devices?

No. Clearing cookies in one browser only ends the session in that browser. Your phone app and other browsers keep their own __Secure-next-auth.session-token, which lasts roughly 30 days before it needs a re-login.

I can log in on my phone but not my laptop — what’s different?

Your phone uses a different network (often cellular, with a clean IP) and a fresh app session, so it sidesteps a rotating-VPN IP, a desktop privacy extension, or a corrupt desktop cookie. That split confirms the problem is local to the laptop browser, not your account.

”Continue with Apple” loops but email login seems to work — which account is mine?

If you originally signed up with Sign in with Apple and chose Hide My Email, your real account is tied to an @privaterelay.appleid.com address, and only the Apple path reaches it. Logging in with your personal email opens a separate, empty account, which is why it “works” but shows none of your history or subscription. Stay on Continue with Apple with the same Apple ID, and make sure Hide My Email forwarding is on for ChatGPT.

Is a login loop ever a sign my account is banned or compromised?

Rarely. A ban or security hold shows a specific message (“Your account has been deactivated” or a verification email prompt), not a silent bounce. A silent loop is a session-handshake failure. If you also can’t log in from a clean device on a clean network, then check email for an OpenAI security notice.

External references: OpenAI status page · Google’s third-party cookie decision (Privacy Sandbox)

Tags: #ChatGPT #ChatGPT account #Troubleshooting #Debug #Login loop