[Bug]: Tried to log in "username" but could not verify token

[ghost]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Not sure what's causing this the user is LDAP backend

Steps to reproduce

1.Open brower
2.go to server.domain.com
3.takes to me dashboard

Expected behavior

Should not see this error in logs

Installation method

Community Manual installation with Archive

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.0

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Updated to a major version (ex. 22.2.3 to 23.0.1)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

No response

List of activated Apps

Enabled:
  - activity: 2.17.0
  - admin_audit: 1.15.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contactsinteraction: 1.6.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.0
  - files_external: 1.17.0
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - files_videoplayer: 1.14.0
  - firstrunwizard: 2.14.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - nextcloud_announcements: 1.14.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - officeonline: 1.1.3
  - password_policy: 1.15.0
  - photos: 1.7.0
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - spreed: 15.0.0-beta.2
  - survey_client: 1.13.0
  - suspicious_login: 4.2.0
  - systemtags: 1.15.0
  - text: 3.6.0
  - theming: 2.0.0
  - twofactor_backupcodes: 1.14.0
  - twofactor_email: 2.6.0
  - twofactor_totp: 6.4.0
  - updatenotification: 1.15.0
  - user_ldap: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0
Disabled:
  - bruteforcesettings: 2.4.0
  - circles: 23.1.1
  - encryption
  - files_downloadactivity: 1.13.0
  - groupfolders: 12.0.1
  - impersonate: 1.11.0
  - notify_push: 0.4.0
  - socialsharing_email: 2.5.0
  - support: 1.8.0
  - twofactor_admin: 3.2.0

Nextcloud Signing status

No response

Nextcloud Logs

{"reqId":"RSUtKkS7Br5VdD2bT5QY","level":3,"time":"2022-09-06T13:53:34+00:00","remoteAddr":"10.0.10.90","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/search/providers?from=%2Fapps%2Fdashboard%2F","message":"Tried to log in "username" but could not verify token","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36","version":"25.0.0.8","data":{"app":"core"},"id":"63175db7214f1"}

Additional info

[szaimen]

cc @ChristophWurst

[ChristophWurst]

Whohoo. I've rarely been so happy to see an error in the logs.

So, this is from #33772. Can you tell if this log was triggered by one (or a few) users? You could cross-check with the access logs and the IPs. That is visible from the log message. Just tell me if it always the same user ;-)

My suspicion is that this happens when the users open their browser in the morning. Over night the server's php session has expired and the user probably had more than one tab open. The browser then sends off multiple concurrent requests and each of them tries to recover the session from cookies. But then only one request actually wins because it will take the valid token. The other requests show up too late, when the valid token had already been cleared from the database.

Just a theory but curios to hear if this could have been the case for you or your users.

[ChristophWurst]

#33930 adds more debugging insights. If you can, apply the patch on your instance, set the log level to debug for a day and then check if Regenerating cookie login token for {uid} after successful verification shows up shortly before the first Tried to log in {uid} but could not verify token. That would confirm my theory.

[ghost]

I think your right because I believe I did have alot of tabs open from the night and in the morning I open a few sessions and accessed the server but the other tabs where closed. Once I get in the office I will test and let you know

[ghost]

@ChristophWurst I think we're good i applied the #33930

seen this in the debug logs

{
  "reqId": "VdFFfpQ5RgUst3jHnVid",
  "level": 0,
  "time": "2022-09-07T14:33:29+00:00",
  "remoteAddr": "1.5.5.11",
  "user": "--",
  "app": "core",
  "method": "GET",
  "url": "/",
  "message": "Regenerating cookie login token for admin after successful verification",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36",
  "version": "25.0.0.8",
  "data": {
    "app": "core"
  }
}

[ChristophWurst]

Okay but do you see a bunch of Tried to log in admin but could not verify token logged afterwards?

One single Regenerating cookie login token for admin after successful verification is fine. It means a request revived a valid session.

[ghost]

Just tried it and it comes up under the error level

{
  "reqId": "NZYI1iLkoFOEo6GLg6XQ",
  "level": 3,
  "time": "2022-09-07T17:45:57+00:00",
  "remoteAddr": "10.0.10.90",
  "user": "--",
  "app": "core",
  "method": "GET",
  "url": "/",
  "message": "Tried to log in admin but could not verify token",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36",
  "version": "25.0.0.8",
  "data": {
    "app": "core"
  },
  "id": "6318d8f9ed60a"
}

[ghost]

Tried it from a different pc

Debug	core	Regenerating cookie login token for admin after successful verification		a minute ago
Error	core	Tried to log in admin but could not verify token		a minute ago
Debug	core	Regenerating cookie login token for admin after successful verification		a minute ago

But should that error be under debug ?

[ChristophWurst]

We can lower to warning. Nevertheless this is an error in the auth flow and likely leads to a defunct browser window.

[ghost]

Yea I think either warring or info since it really giving you info and technically since its not something to worry about . What do you think ? Id suggest info but what ever you think is best :)

[ChristophWurst]

The bigger picture is that once I have clear insight into the token verification errors and what leads up to them, I want to actually fix them. They shouldn't be part of the auth flow. A token mismatch should only be detected for malicious users, not for someone who opened their browser in the morning with Nextcloud pages open.

[ghost]

Ahhh i see that makes a lot more sense if you need any testing from my end I'm happy to help.

[Rello]

having the same issue on my NC25
only additional info I find is that the php/sessions/ directory had multiple entries per attempt.
dont know if relevant?

in the log i have one error

{"reqId":"Z5di2cFpYzamXLxxhgAO","level":3,"time":"2022-09-27T17:58:45+00:00","remoteAddr":"192.168.0.221","user":"--","app":"core","method":"POST","url":"/nextcloud/login","message":"Tried to log in admin but could not verify token","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36","version":"25.0.0.11","data":{"app":"core"}}
{"reqId":"8dBCwodKtjd6p3N9vSFI","level":3,"time":"2022-09-27T17:58:45+00:00","remoteAddr":"192.168.0.221","user":"--","app":"core","method":"GET","url":"/nextcloud/apps/dashboard/","message":"Tried to log in admin but could not verify token","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36","version":"25.0.0.11","data":{"app":"core"}}
{"reqId":"8dBCwodKtjd6p3N9vSFI","level":0,"time":"2022-09-27T17:58:45+00:00","remoteAddr":"192.168.0.221","user":"--","app":"no app in context","method":"GET","url":"/nextcloud/apps/dashboard/","message":"Current user is not logged in","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36","version":"25.0.0.11","exception":{"Exception":"OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException","Message":"Current user is not logged in","Code":401,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":97,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":125,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":172,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":298,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1047,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":153,"message":"Current user is not logged in","exception":{},"CustomMessage":"Current user is not logged in"}}
{"reqId":"e2dzx8WlzlBb1oSBOZnP","level":3,"time":"2022-09-27T17:58:46+00:00","remoteAddr":"192.168.0.221","user":"--","app":"core","method":"GET","url":"/nextcloud/login?redirect_url=/nextcloud/apps/dashboard/","message":"Tried to log in admin but could not verify token","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36","version":"25.0.0.11","data":{"app":"core"}}

one solution which worked for me is to delete login_token entries in the oc_preferences table

[ChristophWurst]

@Rello do you have #33930 applied as well? Would be interesting to know if a token was used successfully before other requests failed to use the same.

[Rello]

I am on beta 6 - and this should have been merged, correct?

[ChristophWurst]

It is not merged. Right now this is an optional patch.

[LokeYourC3PH]

Just wanted to chime in that I am facing the same issue. Some accounts straight up can not login at all on their Browsers, and need to use temporary accounts to get into the drive.

[ChristophWurst]

Just wanted to chime in that I am facing the same issue. Some accounts straight up can not login at all on their Browsers, and need to use temporary accounts to get into the drive.

Could you ask one of the affected users to clear their cookies and see if that helps?

[LokeYourC3PH]

Just wanted to chime in that I am facing the same issue. Some accounts straight up can not login at all on their Browsers, and need to use temporary accounts to get into the drive.

Could you ask one of the affected users to clear their cookies and see if that helps?

Uhh, I was physically at his PC earlier, so when that happens again, I'll make sure to try that. On another note, it even happened to me on my main, super admin (owner) account. My interface sometimes opened for a quick sec before it gave me a countdown for logging me out, and when I went quickly into settings from there, it stopped and fixed it. Truly weird.

[LokeYourC3PH]

If you have that optional patch readily available for install, maybe you can let me know quickly how to install it so I can give it a try on our system, see if that solves it permanently. If it does, it means the patch is also fully functional.

[tsipizic]

Just wanted to chime in that I am facing the same issue. Some accounts straight up can not login at all on their Browsers, and need to use temporary accounts to get into the drive.

Could you ask one of the affected users to clear their cookies and see if that helps?

I am also affected by that and cookie cleaning/private window did not help. Server reboot/PHP cache clean helped though

[LokeYourC3PH]

Just wanted to chime in that I am facing the same issue. Some accounts straight up can not login at all on their Browsers, and need to use temporary accounts to get into the drive.

Could you ask one of the affected users to clear their cookies and see if that helps?

I am also affected by that and cookie cleaning/private window did not help. Server reboot/PHP cache clean helped though

That's what I did as well as soon as 3 accounts had that issue (and I can't create hundreds of temporary accounts as a workaround), and it solved it. But I also can't reboot the server daily really.

[solracsf]

This is not a v25 thing only (as it has been backported); I get this same error on v23.0.10 (after upgrade from v23.0.9).
Using SSO/SAML app. Different users logged, a few lines per user.

As far as i can see, it triggers for every user.

{
  "reqId": "dccjg6BA5aG2UhFJyBRU",
  "level": 3,
  "time": "2022-10-15T14:42:38+00:00",
  "user": "--",
  "app": "core",
  "method": "GET",
  "url": "/csrftoken",
  "message": "Tried to log in username but could not verify token",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0",
  "version": "23.0.10.1",
  "data": {
    "app": "core"
  },
  "id": "634ac795cdd29"
}

[Sieboldianus]

I got it on 24.0.6, too.

[ghost]

Yes, same got the errors on 24.0.6

[brotkastn]

@lark @LokeYourLord help us test #35419 on your production environments. If we have some more certainty that it fixes the symptoms but doesn't cause any other issues that we can ship the workaround.

I just had to apply #35419 because some who could not login also did not want to clear his complete browsing history on his iPhone. I could still login after applying, and it seems to work for those who got stuck in the login loop.

[detrout]

I ran into this bug on Debian 11 using php7.4-fpm 7.4.33 and nextcloud 25.0.2 connecting with Firefox 108.0. I manually applied the patch in #35419 and was able to log in.

[LokeYourC3PH]

You can apply the patch nevertheless just to see if it has any other negative impact.

Sorry, I've been really busy. But wanted to chime in that I had also applied the patch soon after, and it seems that so far there's been no case of login issues. To me, the bug seems fixed (or at least mitigated).

[ChristophWurst]

Interesting enough the login loops happened a lot for me on two instances around November 2022. For the past few weeks the issue has not shown once.

[TheCrimsonLady]

I updated to Nextcloud 25.0.3.2 two days ago and I am facing this issue once again on iOS in Safari. Unfortunately, deleting the website data does not fix the issue for me (Settings --> Safari --> Advanced --> Website Data --> deleted data from my NC domain and restarted safari).

Which logs should I provide?

(Screenshot taken from graylog)

[sherpadawan]

Same error on 25.0.1 ... really annoying, no bruteforce data in database, varnish cache refreshed on my gandi hosting ...
I am facin this issue for one year, quite regulary, but I used to fix it by resetting user password, and cleaning brute force via occ, nowadays ot does not work anymore, stuck on the login screen !!
Nothing special in occ user:setting ...
Noting weird in logs but the message which gave birth of this bug report.
Any clue ?

[LokeYourC3PH]

Same error on 25.0.1 ... really annoying, no bruteforce data in database, varnish cache refreshed on my gandi hosting ...
I am facin this issue for one year, quite regulary, but I used to fix it by resetting user password, and cleaning brute force via occ, nowadays ot does not work anymore, stuck on the login screen !!
Nothing special in occ user:setting ...
Noting weird in logs but the message which gave birth of this bug report.
Any clue ?

Install the suggested fix, it works. It's not implemented into any public release yet as far as I'm concerned, so gotta wait until that happens.

[TheCrimsonLady]

Another temporary fix that worked for me at least was to run a occ maintenance:repair

After this, I could log in without any problems

[sherpadawan]

OK the fiwx works f22101d#diff-af67c083dc101bd3457884ce98ffe78e12f24150e1962d78bdbbe452173df3b9
wget https://raw.githubusercontent.com/nextcloud/server/f22101d4213768066d3dcbde81898dd64ce46445/core/Controller/LoginController.php && cp LoginController.php core/Controller/
Thanks a lot

[lemmy04]

I'm having this all of a sudden on an up-to-date 25.0.3 after upgrading php from pph7 to php8.
please release a fixed version ASAP, thanks!
edit: the workaround from the post above this one works for me too.

[LokeYourC3PH]

I'm having this all of a sudden on an up-to-date 25.0.3 after upgrading php from pph7 to php8.
please release a fixed version ASAP, thanks!
edit: the workaround from the post above this one works for me too.

The fix has been mentioned a quadrillion times here now. Apply that one and see if it works for you :)

[lemmy04]

I'm having this all of a sudden on an up-to-date 25.0.3 after upgrading php from pph7 to php8.
please release a fixed version ASAP, thanks!
edit: the workaround from the post above this one works for me too.

The fix has been mentioned a quadrillion times here now. Apply that one and see if it works for you :)

Did that already, it works, it should be RELEASED is what I'm saying.

[LokeYourC3PH]

I'm having this all of a sudden on an up-to-date 25.0.3 after upgrading php from pph7 to php8.
please release a fixed version ASAP, thanks!
edit: the workaround from the post above this one works for me too.

The fix has been mentioned a quadrillion times here now. Apply that one and see if it works for you :)

Did that already, it works, it should be RELEASED is what I'm saying.

Well I mean in that case it ain't a huge problem for us, but I agree, I don't understand why it hasn't made it into the main release somehow yet when it seems to be working fine with no side effects to speak of. Makes you wonder 🤔

[ChristophWurst]

I'm sorry to break your negativity spiral but the fix went into stable25 and is the QA pipeline for 25.0.4. RC1 has the fix, if you want to upgrade early. Cheers.

[lemmy04]

that's great, all I wanted to know !

[LokeYourC3PH]

I'm sorry to break your negativity spiral but the fix went into stable25 and is the QA pipeline for 25.0.4. RC1 has the fix, if you want to upgrade early. Cheers.

Not a negativity spiral, merely an observation. But good to know that it'll be out in the next one then ^^

[nderambure]

This is a really good news, thx for the fix and all the work ;)

[smart7324]

Hello, I'm using NC 26 and still the same problem in safari only. Does anyone have an idea? Same error in logs: [Tried to log in "username" but could not verify token].

Have to re-login every time, also on mobile (iOS Safari).

It was working fine with NC25...

[Yetangitu]

This problem does not seem to have been solved in v26.0.0.11 - even though #35419 was merged - seeing how as I'm currently unable to login using Firefox/Android on a device which had a single tab open yesterday. Deleting site data does not change this, nor does running occ maintenance:repair.

I can login using a different browser but not with Firefox, all I get is an empty page showing the site logo and the footer - there is no error message but no login/password request either.

This does not work:

• deleting all site data and cookies for the domain
• force-stopping and restarting Firefox/Android
• rebooting the device
• trying different network connections - wifi, 4G, VPN
• deleting browsing history for the affected domain
• using another open session to delete all sessions for the affected device (in Settings->Security->Devices & Sessions)
• updating Firefox/Android (to 111.0)
• running occ maintenance:repair
• burning black candles in a fairy ring in the forest while chanting obscure incantations (well, did not try but I don't think it would work)

This does work:

• using a different browser
• using private mode in Firefox

The error message in the log is the one which has been shown countless times already: Tried to log in "username" but could not verify token:

{"reqId":"aupvuif3Msicz86FxhbY","level":1,"time":"April 06, 2023 06:06:04","remoteAddr":"192.168.9.2","user":"--","app":"core","method":"GET","url":"/login","message":"Tried to log in frank but could not verify token","userAgent":"Mozilla/5.0 (Android 9; Mobile; rv:109.0) Gecko/112.0 Firefox/112.0","version":"26.0.0.11","data":{"app":"core"}}
{"reqId":"q8JEudtB0oT3gfNqLYye","level":1,"time":"April 06, 2023 06:06:04","remoteAddr":"192.168.9.2","user":"--","app":"core","method":"GET","url":"/apps/theming/image/background?v=27","message":"Tried to log in frank but could not verify token","userAgent":"Mozilla/5.0 (Android 9; Mobile; rv:109.0) Gecko/112.0 Firefox/112.0","version":"26.0.0.11","data":{"app":"core"}}

The really annoying thing is that I do not get a chance to login at all since the login/password request does not show up - only the site logo and the footer on an otherwise empty page.

Move: #37492

[ChristophWurst]

@Yetangitu check if your observations match with #37492 or file a new ticket please.

[Yetangitu]

Apart from the list of enabled/disabled apps that description seems to match, as does this one.

[fuomag9]

This has started happening again for me

[dafi87]

Still happening with NC27 as described here: #37492

[terba]

I have something like this also in 27.1.3. It started some months ago. I don't leave any tabs open ever, but when I fire up the browser (with only one empty tab) and request https://mynextcloud/apps/news, about twice a day messages start to appear on the upper right corner (I don't remember the text, but something like I'm not logged in) and I have to login again. But if I'm fast enough to close this tab, I can reopen the same url and I'm in. If I let it go, i will be logged out. Then I have to login twice to get to the TOTP dialog. I have the same in the logs when this occures (see below). Please solve this, as it is very annoying, as I have to find my phone for the TOTP on daily basis just to read the news.

"method":"GET","url":"/index.php/apps/files/preview-service-worker.js","message":"Tried to log in but could not verify token"
"method":"GET","url":"/apps/theming/theme/dark.css?plain=0&v=0c44906c","message":"Tried to log in but could not verify token"
"method":"GET","url":"/apps/theming/theme/default.css?plain=1&v=0c44906c","message":"Tried to log in but could not verify token"
"method":"GET","url":"/apps/theming/theme/light.css?plain=0&v=0c44906c","message":"Tried to log in but could not verify token"
"method":"GET","url":"/apps/theming/theme/light.css?plain=1&v=0c44906c","message":"Tried to log in but could not verify token"
"method":"GET","url":"/apps/theming/theme/dark-highcontrast.css?plain=0&v=0c44906c","message":"Tried to log in but could not verify token"
"method":"GET","url":"/apps/theming/theme/opendyslexic.css?plain=0&v=0c44906c","message":"Tried to log in but could not verify token"
"method":"GET","url":"/index.php/apps/files/preview-service-worker.js","message":"Tried to log in but could not verify token"

By the way is it ok to require login for css data? Thanks in advance.