**Summary** Repeated calls to CiviCRM’s WordPress REST endpoint (/wp-json/civicrm/v3/rest) re-issue WordPress auth cookies on every request, causing session churn and intermittent logout in WP admin. I've built a small demo.php test attached to demonstrate the problem. I can also reproduce the admin interface being logged out by repeatedly reloading the civimobile checklist page, which subsequently logs out the wordpress user. **Environment** - WordPress + CiviCRM (WP REST) **Root Cause** CiviCRM WP REST plugin logs in a WP user on every REST request (based on CiviCRM api_key), calling wp_set_auth_cookie() each time. This re-issues auth cookies and rotates session tokens on every call, which can invalidate or desync existing admin sessions. **Exact Code Path** wp-content/plugins/civicrm/wp-rest/Plugin.php: do_user_login() → login_wp_user() → wp_set_auth_cookie() **Why this is problematic** wp_set_auth_cookie() should only be used when you want to establish or change the browser session. For REST requests authenticated with api_key, user context is needed, but reissuing cookies is not. Reissuing cookies creates conflicting tokens with different path scopes and can cause the admin UI to appear logged out. Repro 1. Log into WP admin. 2. Copy the attached demo.php into wp-content 3. Load the page /wp-content/demo.php page 4. Observe first call to wp-json/wp/v2/users/me succeeds (and note that this API does not log in the browser cookies 5. Obvserve the next call to wp-json/civicrm/v3/rest outputs Set-Cookie headers changing on each request. 6. Observe the second call to wp-json/wp/v2/users/me fails due to session now being invalidated (nonce related i believe) Repro (civimobile) 1. Log into WP Admin 2. go to CiviMobile Checklist 3. Reload the screen several times 4. User is logged out **Suggested Fix** remove call to wp_set_auth_cookie in wp-content/plugins/civicrm/wp-rest/Plugin.php. **Mitigation Temporary fix in mu-plugin:** ```php // Prevent REST requests from reissuing WP auth cookies (can cause intermittent logouts). add_filter('send_auth_cookies', function ($send) { if (defined('REST_REQUEST') && REST_REQUEST) { $request_uri = $_SERVER['REQUEST_URI'] ?? ''; if (strpos($request_uri, '/wp-json/civicrm/v3/rest') !== false) { return false; } } return $send; }, 10, 1); ``` [demo.php](/uploads/1d51657d83fc3852c12cc0c76316867d/demo.php)