-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[NC29] TOTP skipped after session timeout #1563
Comments
Hi @GitHubUser4234! Thank you for the report. I was not able to reproduce. Even with lost session data, I need to pass the 2FA screen before Nextcloud allows me to access my account. |
Hm, have you tried the above settings, in particular:
And also waited for the session timeout rather than deleting cookies? |
Thank you for the pointers. I tried with the updated instructions but came to the result that I was just logged out after the session expiry. After the page reload I saw the login page. |
Hi @ChristophWurst, Further testing came up with the following finding: If only the session_lifetime in config.php has timed out, but the session.gc_maxlifetime in php.ini has NOT timeout, then the login page is shown as normal. BUT if the session.gc_maxlifetime in php.ini has also expired, then the user is logged in after refreshing the TOTP screen. For fast testing, please try these settings: in config.php:
in php.ini: Then refresh the TOTP screen after >20seconds. Thanks! |
I've tried again and followed the instructions closely. I'm still always logged out. I've tried both a git checkout of the Nextcloud sources and https://hub.docker.com/_/nextcloud. How did you set up Nextcloud? |
Really odd, there must be some difference then, hm...
By installing https://download.nextcloud.com/server/releases/latest-29.tar.bz2 |
Hi,
This looks like a bug but hopefully is a config issue or the likes. On a fresh NC29 install with twofactor_totp app enabled, the OTP screen is skipped when the user stops at the OTP screen and waits for the session to timeout. Please help, thank you.
Steps to reproduce
(URL ../server/index.php/login/challenge/totp)
until the session expires.Expected behaviour
The user should be forced to login again
Actual behaviour
User is logged in, OTP is skipped
Server configuration
Operating system:
RHEL 8
Web server:
Apache 2.4
Database:
MySQL
PHP version:
PHP 8.3
Version: (see admin page)
NC 29.0.7.1
Updated from an older version or fresh install:
List of activated apps:
The content of config/config.php:
Client configuration
Browser:
Firefox
Operating system:
Windows 11
Logs
Web server error log
Server log (data/nextcloud.log)
The text was updated successfully, but these errors were encountered: