Yes that is true. The way the TrayIcon works is by issuing a Signin token for itself, and then opening the page with the signin token in the url (as a query string).
The signin.html page has a small piece of Javascript that pulls the token from the url, pastes it into the “Signin token” text field, and submits the form (yes, very crude, but requires no support libraries).
Could it be that something prevents javascript from running on that page? You should be able to see the token in the address bar of the browser, and you can copy-n-paste the token yourself.
If there is no token in the url, you have disabled either tray icon login (as suggested by @ts678 ) or disabled signin tokens. In this case you should instead be redirected to a login.html page, which requires a password.
You can (re-)set the password from the commandline with --webservice-password=<new password>, and the new password survives reboots/restarts.