Frequent session timeouts when using External users (OC_User_IMAP) #101

gatoth · 2018-09-08T14:54:22Z

Steps to reproduce

Enable External Users
Set user backends
'user_backends' =>
array (
0 =>
array (
'class' => 'OC_User_IMAP',
'arguments' =>
array (
0 => '{:993/imap/ssl/novalidate-cert}',
),
),
),
Log in with an IMAP backed account, and even if you keep browsing the folders and files continuously, the session expires after 5 minutes.
Use a non-IMAP user, do the same and the session does not expire after 5 minutes.

Expected behaviour

Session should not expire while user is active, regardless if user is backed by IMAP.

Actual behaviour

Session expires for IMAP users after 5 minutes, even if they are being active all the time.

Server configuration

Operating system: FreeBSD 11.2

Web server: Apache 2.4.34

Database: mysql 5.6.41

PHP version: 5.6.37

Nextcloud version: 13.0.6

Updated from an older Nextcloud/ownCloud or fresh install: Updated from 13.0.4 (freshly installed 13.0.4 had the same behaviour)

Where did you install Nextcloud from: Downloaded from nextcloud.com, updated with built-in updater.

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php Enabled: - activity: 2.6.1 - calendar: 1.6.1 - comments: 1.3.0 - contacts: 2.1.5 - dav: 1.4.7 - federatedfilesharing: 1.3.1 - files: 1.8.0 - files_external: 1.4.1 - files_pdfviewer: 1.2.1 - files_sharing: 1.5.0 - files_texteditor: 2.5.1 - files_trashbin: 1.3.0 - files_versions: 1.6.0 - files_videoplayer: 1.2.0 - gallery: 18.0.0 - groupfolders: 1.3.3 - logreader: 2.0.0 - lookup_server_connector: 1.1.0 - nextcloud_announcements: 1.2.0 - notes: 2.4.1 - notifications: 2.1.2 - oauth2: 1.1.1 - password_policy: 1.3.0 - polls: 0.8.3 - provisioning_api: 1.3.0 - serverinfo: 1.3.0 - survey_client: 1.1.0 - systemtags: 1.3.0 - tasks: 0.9.7 - theming: 1.4.5 - twofactor_backupcodes: 1.2.3 - updatenotification: 1.3.0 - user_external: 0.4 - workflowengine: 1.3.0 Disabled: - admin_audit - bruteforcesettings - deck - encryption - federation - files_fulltextsearch - firstrunwizard - fulltextsearch - impersonate - mail - ojsxc - rainloop - ransomware_protection - sharebymail - spreed - unsplash - user_ldap

Nextcloud configuration:

Config report

The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "***REMOVED SENSITIVE VALUE***" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "13.0.6.1", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "php", "mail_smtpauthtype": "LOGIN", "mail_domain": "***REMOVED SENSITIVE VALUE***", "theme": "", "loglevel": 0, "maintenance": false, "session_lifetime": 3600, "session_keepalive": true, "apps_paths": [ { "path": "\/usr\/local\/www\/nextcloud\/apps", "url": "\/apps", "writable": true }, { "path": "\/usr\/local\/www\/nextcloud\/apps-pkg", "url": "\/apps-pkg", "writable": false } ], "user_backends": [ { "class": "OC_User_IMAP", "arguments": [ "{server:993\/imap\/ssl\/novalidate-cert}" ] } ], "updater.secret": "***REMOVED SENSITIVE VALUE***" } }

Are you using external storage, if yes which one: NONE

Are you using encryption: no

Are you using an external user-backend, if yes which one: OC_User_IMAP

Client configuration

Browser: Firefox, Chrome

Operating system: Linux, Windows

Logs

Web server error log

[Sat Sep 08 15:24:26.306389 2018] [authz_core:error] [pid 41778] [client CLIENT_IP:41192] AH01630: client denied by server configuration: /usr/local/www/nextcloud/data/.ocdata [Sat Sep 08 15:43:46.530126 2018] [authz_core:error] [pid 71617] [client CLIENT_IP:42956] AH01630: client denied by server configuration: /usr/local/www/nextcloud/data/.ocdata

Nextcloud log (data/nextcloud.log)

Nextcloud log

[nextcloud.log](https://github.com/nextcloud/server/files/2363378/nextcloud.log)

Browser log

Navigated to https://fqdn.net/nextcloud/index.php/login?redirect_url=/nextcloud/index.php/apps/files/%3Fdir%3D/Eln%25C3%25B6ks%25C3%25A9g/Ki%25C3%25A1ll%25C3%25ADt%25C3%25A1sok/2018%2520Orsz%25C3%25A1gos%2520Ki%25C3%25A1ll%25C3%25ADt%25C3%25A1s%26fileid%3D1705
Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
JQMIGRATE: Migrate is installed, version 1.4.0 core.js:7:542
window.controllers/Controllers is deprecated. Do not use it for UA detection. merged.js:2171
Source map error: TypeError: NetworkError when attempting to fetch resource.
Resource URL: https://fqdn.net.hu/nextcloud/core/vendor/core.js?v=97481833-10
Source Map URL: purify.min.js.map[Learn More]
Shutting down notifications: [401] Unauthorized merged.js:285:5
_onFetchError
https://fqdn.net/nextcloud/index.php/js/notifications/merged.js:285:5
j
https://fqdn.net/nextcloud/core/vendor/core.js:2:26920
fireWith
https://fqdn.net/nextcloud/core/vendor/core.js:2:27738
x
https://fqdn.net/nextcloud/core/vendor/core.js:4:11276
b/<
https://fqdn.net/nextcloud/core/vendor/core.js:4:14765
Navigated to https://fqdn.net/nextcloud/index.php/apps/files/?dir=/Eln%C3%B6ks%C3%A9g/Ki%C3%A1ll%C3%ADt%C3%A1sok/2018%20Orsz%C3%A1gos%20Ki%C3%A1ll%C3%ADt%C3%A1s&fileid=1705

nextcloud-bot · 2018-09-08T15:06:45Z

GitMate.io thinks possibly related issues are nextcloud/server#5566 (Error when adding external user), nextcloud/server#3132 (User backend OC_User_IMAP already initialized), nextcloud/server#5079 (Frequent File Locking with External Storage), nextcloud/server#2158 (LDAP-Users can't use external storage), and nextcloud/server#3723 (Auth - Session).

kienanstewart · 2018-11-02T16:16:12Z

I am also experiencing similar issues (nextcloud 13.0.5 and 14.0.3) w/ PHP 7.0.30 on debian stretch

gatoth · 2018-11-05T22:01:51Z

I upgraded to NextCloud 14.0.3 and PHP 7.2.11 and still experiencing the same.

kienanstewart · 2018-11-15T19:35:17Z

In the end we discovered it was the session cleaning settings in our PHP configuration. We were using a 1/100 requests start session cleaning (and sessions shouldn't last more than 3600s). By disabling it we stopped having random log outs. It's worth trying to tweak it to something less frequent.

ediazcomellas · 2019-04-25T11:50:52Z

We have been struggling with this issue for several weeks. We disabled garbage collection, session expiration and everything else with no effect: 5 minutes after login, you were redirected to login again. We are authenticating using IMAP-SSL

We have tested with PHP as an Apache module, FPM, versions from 7.0 to 7.3. No difference. Same problem a few minutes after login.

So after several sessions of debug, we found lib/private/User/Session.php, line 680: function checkToken:

680 private function checkTokenCredentials(IToken $dbToken, $token) {
681 // Check whether login credentials are still valid and the user was not disabled
682 // This check is performed each 5 minutes
683 $lastCheck = $dbToken->getLastCheck() ? : 0;
684 $now = $this->timeFactory->getTime();
685 if ($lastCheck > ($now - 60 * 5)) {
686 // Checked performed recently, nothing to do now
687 return true;
688 }
689
690 try {
691 $pwd = $this->tokenProvider->getPassword($dbToken, $token);
692 } catch (InvalidTokenException $ex) {
693 // An invalid token password was used -> log user out
694 return false;
695 } catch (PasswordlessTokenException $ex) {
696 // Token has no password
697
698 if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
699 $this->tokenProvider->invalidateToken($token);
700 return false;
701 }
702
703 $dbToken->setLastCheck($now);
704 return true;
705 }

Nextcloud is checking the password again after 5 minutes. Unfortunately, external_user must be missing something here, and the test always fails. As a result, the token is invalidated and the session must start again.

As a mitigation (in order to avoid user's rage) we have changed the time to 5000 minutes:

685 if ($lastCheck > ($now - 60 * 5000)) {

This is something we would rather don't do, as it opens the door to unsynced password problems.

Can anyone check why the external_user app is failing this check?

Best regards.

kesselb · 2019-08-17T19:20:46Z

Moved this issue to the right repository. Is this still relevant?

violoncelloCH · 2019-08-22T15:00:35Z

this looks the same as #70
@kienanstewart interesting that the issue disappeared for you when changing php session settings?

@ediazcomellas as you have debugged this issue: how are you sure this issue is on the side of the user external app? could you hop through the steps with a debugger and check what is going wrong when password check is triggered from checkTokenCredentials() rather than when logging in?

ediazcomellas · 2019-08-22T20:09:39Z

We still had some issues (not so often, but from time to time). We finally changed the auth backend to LDAP and everything was fixed.

Mannshoch · 2019-11-15T06:37:34Z

Could that be the source if downloading huge files (download time greater than 5min) in Nextcloud app is not working?

violoncelloCH · 2020-01-07T20:55:24Z

@Mannshoch if you don't get the "auto" logout then this is probably an other issue with your webserver configuration. Please check your php timeouts etc.

Mannshoch · 2020-04-14T21:51:12Z

since I updated from 5.0.1 to 9 I have also this issue. I today had a talk with nextcloud talk with measuring the time. After 5 minutes the session got killed and nextcloud changed to the login screen.

Mannshoch · 2020-04-22T06:14:25Z

e.g. The Thunderbird addon Cardbook seems not able to save the password. I'm not sure why it is not able to use the already saved password.

sshambar · 2020-04-30T23:43:57Z

Finally got annoyed enough at the frequent logouts that I tracked down the root of the problem... There's a thorough description of the bug (design flaw in the nextcloud app loading logic), in nextcloud/server#20756, and I've issued a pull-request with the fix nextcloud/server#20757.

As mentioned in the issue description, it may be possible for user_external to work around the bug, but it would be a bit of a hack, and I'd have to make sure it didn't break anything important before I'd submit a pull here...

I could provide a backport pull to stable18 too if there's interest, but it's easy enough to apply the patch (OC_App.php used be called app.php).

Mannshoch · 2020-05-01T09:03:32Z

I'm interested in a backport for 18. My Nextcloud I'm responsible for is actually on 17. I plan an upgrade in the next weeks. Would be nice If it works directly after upgrading.

violoncelloCH · 2020-05-01T12:10:48Z

cool @sshambar !
for backporting there is even a bot which can handle this automatically :)
so let's wait for the feedback from some of the server folks and hope this will be merged, then it shouldn't be a problem to get this backported...

sshambar · 2020-05-01T22:33:22Z

OK, I'll wait for feedback... BTW, a solid workaround for the logout issue is to set the password for the nextcloud user to the same as the external authentication (if you know the password). If the passwords match, the user will be accepted as a DB user, not a user_external one (and won't be logged out at token validation time).

Alternatively, if the passwords differ, but you login with the DB password, you also won't be logged out...

sshambar · 2020-05-02T22:54:54Z

Just an FYI: I was getting random logouts when I turned caching off during my testing, and tracked the problem to memcached session locking occasionally failing (which triggers a logout)... I fixed it with the following in php.ini:

[memcached]
memcached.sess_lock_retries = 50;

If you're getting hit by logouts, this could be another cause :)

Mannshoch · 2020-05-05T05:58:20Z

php.ini is ReadOnly for me but I can say that I do not have any [memcached] entries in it.

sshambar · 2020-05-05T17:30:33Z

Ah, thought it was clear that this only affects sessions that use memcached... basically, if you don't have:

session.save_handler = memcached
session.save_path = "/run/memcached/memcached.sock"
or
session.save_path="localhost:11211"

in your php.ini/php.d then this won't affect you. I can only reproduce the memcached problem when I turn off my browser cache (simulating the first time a user loads nextcloud), and it's just triggered by the sheer number of connections nextcloud makes on that initial login page load (all of which try to load the session from memcached)... people kept saying they'd log in and be immediately logged out, and this was the cause (unrelated to any bugs in user_external). Just thought I'd mention it in case someone came here when dealing with random logouts...

sshambar · 2020-05-05T17:45:29Z

BTW, an update from the pull request, I've update the patch to solve the session timeouts a different way (there was concerns about skipping any user validation in the first patch).

Also, there's also another, simpler workaround... since this bug only impacts users who appear in both oc_users and oc_users_external with the same userid, one of the nextcloud devs suggested that deleting the user from oc_users would solve the problem (and it does indeed work, I even deleted the admin user and things still worked fine with users just in oc_users_external).

The only drawback is that there's no "fallback" login if user_external is disabled (of course, users can be added back to the oc_users table easily enough, but passwords would have to be reset). Yet another solution would be temporarily changing the userids in oc_users (adding a prefix like "disabled-"), which would be easily reversible and keep the original password.

Realistically, users_external probably should have been written to use a unique userid from day one -- as the other login apps do -- but adding it now would require some migration magic (basically, a userid migration on login or upgrade, but I've no idea how that could be done reliably...).

Of course, combining the above would provide a true fix in user_external... which could simply check if the userid exists in oc_users, and if so change that userid to have a prefix/postfix (or other mapping), so that db users will never match user_external users -- and reverse it when the app is disabled.

If there's interest, I'd be willing to offer a patch...(don't think it'd be difficult).

Mannshoch · 2020-05-05T19:03:29Z

May a bit to much and may against my wish for a fast fix but I link this Enhancement Request.

syzop · 2020-06-15T17:46:36Z

Just checking... is this the issue that may be responsible for our users getting logged out after we upgraded from 16.x to 18.x?

I got a bit confused by #101 (comment)

Ah, thought it was clear that this only affects sessions that use memcached...

So just to double check: that was an old assumption right? It is no longer valid?
We don't use memcached and I suspect we are impacted by the issue.
I see this in the logs, that may be an indication of the incorrect loading of classes (order, whatever) right?
Jun 15 18:30:56 cloud Nextcloud[22864]: {"reqId":"xxx","level":3,"time":"2020-06-15T18:30:56+02:00","remoteAddr":"xxx","user":"xxx","app":"core","method":"PROPFIND","url":"/remote.php/dav/files/xxx/","message":"User backend OC_User_IMAP not found.","userAgent":"Mozilla/5.0 (Windows) mirall/2.6.3stable-Win64 (build 20200217) (Nextcloud)","version":"18.0.6.0"}

The current fix is to upgrade to 19.0.0?

syzop · 2020-06-15T18:04:33Z

Oh, not in 19.0.0 it seems.
Is this Nextcloud fix from @sshambar sufficient? nextcloud/server@ff8695f
Or does it also need changes in the app?

syzop · 2020-06-15T18:13:28Z

I've applied the patch to 18.x. Let's see how it goes.

This is what I did (in the nextcloud root directory):

wget -O logout.v19.patch https://github.com/nextcloud/server/commit/ff8695fdb43aa303f5cccd2d9975c762b44726ae.patch
cat logout.v19.patch|sed 's/OC_App/app/g' >logout.v18.patch
patch -p1 <logout.v18.patch

Mannshoch · 2021-02-16T07:23:58Z

How is the current state?

syzop · 2021-02-16T11:39:54Z

It's not clear to me if if we still have the same issue. We only recently upgraded away from v18 when it went EOL. We're now on 20.0.7. The patch can still apply cleanly but I don't know if it is needed. My first indication was that we are not seeing the timeouts anymore (without patch)... but i could be wrong.

And you? Do you still have the issue? With what nextcloud version? Maybe worth testing v20?
What exact method do you use to reproduce the issue? And is it fully reproducible or is it random?
Be sure not to confuse this issue with other authentication/server issues. For example we currently authenticate against IMAP, and when that IMAP server has an issue it basically results in all authentication being rejected and thus logging out all nextcloud users. That is something unrelated to this bug. (And yeah, we will be moving away from IMAP auth, but that is off-topic as well).

I see your comments in #70 were tagged as spam. But I presume for this issue they are valid questions...

Mannshoch · 2021-02-16T13:44:19Z

I'm also on 20.0.7 I did not install any patch. I still have the problem, that I have to accept the Nextcloud-client on every restart in the browser. I only have this Problem on the Nextcloud that use IMAP to check valid user. Other Nextcloud do not have that problem, once approved it works for ever.

syzop · 2021-02-16T14:06:15Z

Right, so you have the Windows(?) client and after a computer restart it asks you to open a browser, login and "grant access"?
What nextcloud client do you use?

I am using 3.1.2 on Windows myself with a 20.0.7 server, now with the patch applied (did so an hour ago, figured why not). Cannot reproduce the issue.
I also have 1 user complaining he has to re-login every time, since our server and client upgrade a week ago, trying to get in contact with him and/or checking if the issue persists even with the patch applied.

Not sure if these issues and the patch are related though. Like I said, i thought they were more related to the webinterface if you were >5m idle.

Mannshoch · 2021-02-16T15:19:24Z

I use Ubuntu and Nextcloud 3.1.2 also.
I have three Nextcloud connected as account. But on the one account where User External with IMAP is used I have to "grant access" on every boot.

syzop · 2021-02-17T09:23:39Z

@Mannshoch we now have multiple reports with the same problem that you describe. After a reboot the nextcloud client asks to "grant access" via the browser again, next reboot the same, etc etc.
Different client versions are used, so we don't have a clear picture yet. I don't have the problem myself with latest client and latest server (with patch). It always makes things more difficult when I cannot reproduce it myself...

Mannshoch · 2021-02-17T16:21:29Z

May an interesting symptom. The first link the nextcloud-client open in Browser do not work. I get a Token error
I'll try to get a log from that

Mannshoch · 2021-02-17T19:55:10Z

```

</details>

syzop · 2021-02-18T11:56:52Z

The users who reported the problem(s) earlier are saying everything is fine now. I ensured they are really on 3.1.2 (Windows) and that they logged in. They both rebooted and did not have to relogin. So I'm done with this for now, if it changes i will let you know.

As always, user reports were/are vague, it's better to have someone who experiences the problem first hand, like you.

khashmeshab · 2023-01-27T14:58:18Z

@sshambar If anybody still cares, the exact same problem still exists in NextCloud 23. And the patch also applies successfully, and fixes the issue right away. I wonder why it's not applied to the whole project yet.

dbuerer · 2024-03-13T16:53:36Z

I care....because i've been having the same issue in 27.1.4 and it's driving a couple of us nuts!

Jetsord · 2024-11-28T13:36:24Z

@ediazcomellas is right, the problem is still the incorrect revalidation of the user in user_external.
The validation is correct at login time, so the check only really takes effect after the timeout after 5 minutes.

In NextCloud, this timer is hard-coded to 5 minutes and can therefore only be changed directly in the file:
https://github.com/nextcloud/server/blob/379f575c25cdf4769d5c019394e73ac8b8f46385/lib/private/User/Session.php#L696

Whereas in OwnCloud this value can be adjusted via the database.
https://github.com/owncloud/core/blob/9deb8196b20354c8de0cd720ad4d18d52ccc96d8/lib/private/User/Session.php#L737

Since the database entry was missing in my OwnCloud, I simply had to/was able to add it:
INSERT INTO oc_appconfig (appid, configkey, configvalue) VALUES ('core', 'last_check_timeout', '480');

This way, the user (who is authenticated via user_external) is logged out hard after 8 hours (480 minutes).

kesselb transferred this issue from nextcloud/server Aug 17, 2019

kesselb added 0. Needs triage bug Something isn't working question Further information is requested labels Aug 17, 2019

Mannshoch mentioned this issue Apr 14, 2020

Replace imap_rcube library with curl call #122

Merged

sshambar mentioned this issue Apr 30, 2020

Authentication apps for DB users suffer frequent logouts nextcloud/server#20756

Closed

sshambar mentioned this issue May 1, 2020

Skip session validation during app load (Fixes #20756) nextcloud/server#20757

Closed

Frequent session timeouts when using External users (OC_User_IMAP) #101

Frequent session timeouts when using External users (OC_User_IMAP) #101

Comments

gatoth commented Sep 8, 2018

Steps to reproduce

Expected behaviour

Actual behaviour

Server configuration

Client configuration

Logs

Web server error log

Nextcloud log (data/nextcloud.log)

Browser log

nextcloud-bot commented Sep 8, 2018

kienanstewart commented Nov 2, 2018

gatoth commented Nov 5, 2018

kienanstewart commented Nov 15, 2018

ediazcomellas commented Apr 25, 2019

kesselb commented Aug 17, 2019

violoncelloCH commented Aug 22, 2019

ediazcomellas commented Aug 22, 2019

Mannshoch commented Nov 15, 2019

violoncelloCH commented Jan 7, 2020

Mannshoch commented Apr 14, 2020

Mannshoch commented Apr 22, 2020

sshambar commented Apr 30, 2020

Mannshoch commented May 1, 2020

violoncelloCH commented May 1, 2020

sshambar commented May 1, 2020

sshambar commented May 2, 2020

Mannshoch commented May 5, 2020

sshambar commented May 5, 2020

sshambar commented May 5, 2020

Mannshoch commented May 5, 2020

syzop commented Jun 15, 2020

syzop commented Jun 15, 2020

syzop commented Jun 15, 2020

Mannshoch commented Feb 16, 2021

syzop commented Feb 16, 2021

Mannshoch commented Feb 16, 2021

syzop commented Feb 16, 2021

Mannshoch commented Feb 16, 2021

syzop commented Feb 17, 2021

Mannshoch commented Feb 17, 2021

Mannshoch commented Feb 17, 2021 • edited Loading

syzop commented Feb 18, 2021

khashmeshab commented Jan 27, 2023

dbuerer commented Mar 13, 2024

Jetsord commented Nov 28, 2024

Mannshoch commented Feb 17, 2021 •

edited

Loading