Log out of ynh don't log out from nextcoud

[Shnoulle]

Step to reproduce : you need 2 user's

1. Be totally unlogued from ynh and nextcould
2. Login at user1 via nextcould -> redirected to ynh login
3. Click/go on nextcloud => logged like user1
4. Come back to ynh
5. Log out
6. Login as user2
7. Click on nextcloud => logged like user1

Same issue with owncloud before.

[maniackcrudelis]

Maybe linked to this patch https://github.com/YunoHost-Apps/nextcloud_ynh/blob/master/patches/00-add-logout_url-conf.patch

[julienmalik]

confirmed here.

in fact you don't even need step 6. you can disconnect from sso, and still be logged in in nextcloud with user1

[julienmalik]

this means it is error prone when two different users use the same machine for accessing their nextcloud. quite critical imho. but no idea how to fix this...

maybe the http_auth plugin should somehow invalidate the session when it receives a different user than the one from the session/cookie

[Shnoulle]

Think limesurvey_ynh have same issue, i take a look. But clearly : seems critical iun some situtation (maybe i can look to photo uploaded by my son ;) )

[mofoch]

I just tested this on latest version 12.0 with the following result:

1. Login with user on yunohost portal (e.g. https://mydomain.org/yunohost/sso)
2. Open nextcloud from yunohost portal (e.g. in new tab)
3. Logout from yunohost portal
4. Reloading nextcloud tab: user is still logged in!

[croulibri]

I thought the closing of https://github.com/YunoHost-Apps/nextcloud_ynh/issues/83 meant this bug also (I called it bug 2) wad solved but this is not yet the case :-( Hope some solution can be found.

[alexAubin]

Somebody reported this issue today.

Do we have any way foreseen to fix this ? :s

[JimboJoe]

This a long pending issue on every apps: how can you automatically log out from applications when logging out from the portal? Naively there could be a mechanism in SSOwat to subscribe to different apps logout URL and call them from the client browser when logging out from the portal... yet there may be cross-site security issues...

[nathanael-h]

Hello, I had this problem today : one of my friend used my computer to go to his Nextcloud account. I clicked log out in the SSO panel wich was connected to his account, then I went to the Nextcloud page and I found it still connected to my friend's account.

This issue is quite old, how could I help to fix it ? Is there any updated since last message ?

[JimboJoe]

I'm afraid not...

[Thatoo]

No update on this issue?

[alexAubin]

Not really, this is not trivial to fix ...

c.f. https://github.com/YunoHost/issues/issues/501 which is the more general core issue (because several apps are affected by this kind of stuff).

Maybe in the most simple case it's only about invalidating some cookies but it's not clear ... somebody needs to have a deep look into it

[felagund]

A workaroudn with questionable security is to disable CSFR on nextcloud as per https://github.com/nextcloud/user_saml/issues/114#issuecomment-2053672055 and then use nginx to redirect you after loging out of yunohost to cloud.yourdomain.xyz/logout