NextCloud stays logged in

[NickCloudAT]

Steps to reproduce

1. Login to NextCloud
2. Close Browser
3. Open Browser and head to NextCloud

Expected behaviour

Login screen should come up

Actual behaviour

Im still logged into my account even if there is no checkbox for "stay logged in" or something like that, and I also set "'remember_login_cookie_lifetime' =>" to 1.

Server configuration

Operating system: Ubuntu 16.04

Web server: Apache2

Database: MySQL

PHP version: 7.0

Nextcloud version: 14.0.0

Updated from an older Nextcloud/ownCloud or fresh install: Fresh

Where did you install Nextcloud from: Official Nextcloud page

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.
"No errors have been found."
</details>

**List of activated apps:**
<details>
<summary>App list</summary>
https://pastebin.com/zusEE8Mg

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

</details>

**Nextcloud configuration:**
<details>
<summary>Config report</summary>

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or

Insert your config.php content here.
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

https://pastebin.com/rn9UEEdq
</details>

**Are you using external storage, if yes which one:** Only the app is active, but not in use

**Are you using encryption:** No

**Are you using an external user-backend, if yes which one:** None


### Client configuration
**Browser:** Edge/Opera/Chrome

**Operating system:** Windows 10

</details>

#### Nextcloud log (data/nextcloud.log)
<details>
<summary>Nextcloud log</summary>

https://pastebin.com/QYNYBKNz

</details>

[nextcloud-bot]

GitMate.io thinks possibly related issues are #9460 (Nextcloud stays logged in even if "Stay logged" is not checked), #3345 (Wrong time in nextcloud.log), #10941 (Nextcloud customiztion), #3562 (mdecrypt_generic spam in nextcloud log), and #5405 (Nextcloud / direct_menu).

[nexus186]

I have the same problem, I even added 'session_lifetime' => 600 (5 minutes?) to the config and it didnt work.
I logged in, left the browser open, and went away for about 12 hours. When I came back and reload the page, the session was still active. This is not very secure (maybe there is another setting?).

I noticed that it's doing a POST request every minute or so to get notifications which is probably what is keeping the session alive.

Perhaps there should be some kind of throttle/threshold and the "heartbeat" should be sent if the mouse cursor was last active (onmouseover on document).

[TomTurnschuh]

@nexus186: The option you're looking for is called session_keepalive. It is defined in the config file and defaults to true.

[NickCloudAT]

@nexus186: The option you're looking for is called session_keepalive. It is defined in the config file and defaults to true.

Well I now set this into my config:

'session_keepalive' => false, 'session_lifetime' => 600, 'remember_login_cookie_lifetime' => 0,

Thats works for me when closing the browser to get logged out.
But why is there not a checkbox for staying logged in but rather is automaticly the thing??

[TomTurnschuh]

But why is there not a checkbox for staying logged in but rather is automaticly the thing??

Well, it's not up to me to give an answer on that question. :-)

[nexus186]

I think the bug is still there.

I added 'session_keepalive' => false, 'session_lifetime' => 600, to the config and then closed and reopened by browser.

Now if I'm inactive for 5 minutes, the session on the server side times out but the web interface still shows the authenticated view (file list, admin settings etc). If I click on any links or reload the page, then it redirects back to the login screen.

It should instead redirect back to the login screen the moment the session times out on the server side.

[MorrisJobke]

Thats works for me when closing the browser to get logged out.
But why is there not a checkbox for staying logged in but rather is automaticly the thing??

We had long discussions about this: the most often use case is to stay logged in and just use Nextcloud. If you actively want to be logged out you can use the menu item for logout.

Thus this works as it should and I will close it.

Thanks

[ksmolder]

@MorrisJobke Just wondering of the claim that "the most often use case is to stay logged in and just use Nextcloud" is backed by actual data... I personally do not access the web interface of Nextcloud that often as there is some nice desktop integration for both Windows, MacOS and Linux. So the times I use the Nextcloud web interface is in most cases when I do not have access to my own devices (and hence are working on a public or someone else's computer). I really do not want that I accidentally stay logged in on the latter devices.

In Nextcloud 13 we had the option: on devices we trust one additional click to stay signed in and just no worries on devices we don't trust (closing the browser took care). In Nextcloud 14 I actually have to remember each time to actively log out (or trust strangers for doing it for me...).

Especially with the introduction of 2FA, this move doesn't make sense to me. People are motivated to use 2FA but actually, once logged in, you don't even require 1FA (aka the user's password) as you stay logged in by default. From a security point of view, this is a huge risk IMHO.

[MorrisJobke]

@MorrisJobke Just wondering of the claim that "the most often use case is to stay logged in and just use Nextcloud" is backed by actual data... I personally do not access the web interface of Nextcloud that often as there is some nice desktop integration for both Windows, MacOS and Linux. So the times I use the Nextcloud web interface is in most cases when I do not have access to my own devices (and hence are working on a public or someone else's computer). I really do not want that I accidentally stay logged in on the latter devices.

In Nextcloud 13 we had the option: on devices we trust one additional click to stay signed in and just no worries on devices we don't trust (closing the browser took care). In Nextcloud 14 I actually have to remember each time to actively log out (or trust strangers for doing it for me...).

Especially with the introduction of 2FA, this move doesn't make sense to me. People are motivated to use 2FA but actually, once logged in, you don't even require 1FA (aka the user's password) as you stay logged in by default. From a security point of view, this is a huge risk IMHO.

We don't actively gather any broad telemetry on actions like this, so we can't proof this by an empirical study. Nevertheless we are in exchange with users like you that give us feedback on the behavior. And we got a lot of feedback, why it doesn't stay logged in. As well we are checking how other products do this from a UX point of view. Thus we had some longer discussions here on GitHub about this (give it a search and you can find it).

Also the bigger case is that people use their own devices more often than other peoples devices (in general over the broad mass and not on a per individual basis). Our general aim is it to make Nextcloud a good solution by default with an as good as possible UX without the need to tweak anything and still give it the options and features it really needs for security focused people.