Nextcloud stays logged in even if "Stay logged" is not checked

[bosscyril]

I think it started happening since I upgraded to NC13.

Steps to reproduce

1. Login to Nextcloud WebUI via user/password. Do not check the "Stay logged in" checkbox.
2. Close the web browser without closing Nextcloud session.
3. Reopen the browser and go tu Nextcloud URL. User is still logged in.

Expected behaviour

After closing the web browser, the user should manually log in again, unless the checkbox "Stay logged in" was selected.

Actual behaviour

The user is still logged in even if the browser was closed or after a reboot.

Server configuration

Operating system:
Ubuntu 16.04.4 LTS
Web server:
Apache/2.4.18
Database:
mysqld Ver 5.7.22
PHP version:
PHP 7.0.28
Nextcloud version: (see Nextcloud admin page)
Nextcloud 13.0.2
Updated from an older Nextcloud/ownCloud or fresh install:
Updated from 12.0.5.3
Where did you install Nextcloud from:

Signing status:
No errors have been found.

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

List of activated apps:

App list

Enabled: - activity: 2.6.1 - audioplayer: 2.3.0 - bruteforcesettings: 1.0.3 - calendar: 1.6.1 - comments: 1.3.0 - contacts: 2.1.3 - dav: 1.4.6 - federatedfilesharing: 1.3.1 - federation: 1.3.0 - files: 1.8.0 - files_external: 1.4.1 - files_markdown: 2.0.4 - files_pdfviewer: 1.2.1 - files_sharing: 1.5.0 - files_texteditor: 2.5.1 - files_trashbin: 1.3.0 - files_versions: 1.6.0 - files_videoplayer: 1.2.0 - firstrunwizard: 2.2.1 - gallery: 18.0.0 - gpxpod: 2.2.2 - logreader: 2.0.0 - lookup_server_connector: 1.1.0 - nextcloud_announcements: 1.2.0 - notifications: 2.1.2 - oauth2: 1.1.0 - password_policy: 1.3.0 - provisioning_api: 1.3.0 - serverinfo: 1.3.0 - sharebymail: 1.3.0 - spreed: 3.2.0 - survey_client: 1.1.0 - systemtags: 1.3.0 - tasks: 0.9.6 - theming: 1.4.1 - twofactor_backupcodes: 1.2.3 - unsplash: 1.1.1 - updatenotification: 1.3.0 - workflowengine: 1.3.0 Disabled: - admin_audit - encryption - user_external - user_ldap

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)

LDAP config

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:
Various browsers. Same result.

Operating system:

Logs

Web server error log

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

Insert your Nextcloud log here

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[stratege1401]

I am not sure it is a nextcloud problem. Might be a browser cache problem. But anyway, i did reproduce it also on different browers.

[ykcab]

This is a duplicate issue submission, I have also raised this concern. It's something that should be reviewed. Let's hope there will be a fix. I will try to see if I can get a work around on the log in page

[skjnldsv]

We removed the checkbox a few versions ago on purpose.
ALl website removed it now. If you want a clean session or if you're on an unsafe env, use private browsing, if not, logout is mandatory like lots of services: fb, twitter...