Summary

Bitbucket Server can be configured to remember user sessions and not require re-authentication if received from the same IP address. If there is a reverse proxy involved then the address will need to match IP of client plus the proxy. This will work as long as the client IP and the proxy IP remains constant. It is possible that the proxy may forward using different IP due to hostname resolution. In the situation where the proxy IP changes the session will be rejected as expected. 

Diagnosis

The below log message can be found in $BITBUCKET_HOME/log/atlassian-bitbucket.log 

2021-04-05 22:32:24,357 INFO http-nio-7990-exec-385 192.168.10.32,0:0:0:0:0:0:0:1 "GET /projects/PROJ1/repos/REPO/browse HTTP/1.0" c.a.s.i.a.DefaultRememberMeService Remember-me token detected for series '8fae4af1c41335e0bb51c03bebb24a0b3ce7e6d1' for user 'username' (used from '192.168.10.32,127.0.0.1'). Current request is from a different address ('192.168.10.32,0:0:0:0:0:0:0:1')! As a safety precaution, all (3) tokens from that series have been canceled.

Note the client IP is the same but the proxy IP forwarded is either 127.0.0.1 or 0:0:0:0:0:0:0:1.

Cause

Both the IPv4 address 127.0.0.1 and IPv6 address 0:0:0:0:0:0:0:1 refer to localhost so we would like Bitbucket to not reject the session. The reverse proxy should be only using the one address for localhost.

In this instance the reverse proxy, nginx, is installed locally and is configured to redirect traffic to port 7990.

proxy_pass http://localhost:7990;

The /etc/host contains multiple definitions for localhost so it is reasonable that localhost could be either address.

127.0.0.1 localhost
::1 localhost

Solution

The easiest fix is to ensure that the local reverse proxy forwards using the same IP address. Example:

proxy_pass http://127.0.0.1:7990;