nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
26.77k stars 4k forks source link

config.php - Disable Remember Login #1358

Closed MeCias closed 2 years ago

MeCias commented 8 years ago

Hi guys,

You are offering for a lot of events off and on switches in the config.php even for session_keepalive. For the Remember Login there is just the possibility to change the remember_login_cookie_lifetime. It would be great to switch off and hide the Remember Login via config.php as well, since the App that exists for this seems to be discontinued and ever since experimental.

Thanks in advance for considering it.

chaos-prevails commented 7 years ago

are there any plans to be able to hide the remember login via config.php or other means (except the discontinued plugin?)

AFAIK #1347 does not fix this.

ghost commented 7 years ago

The setting 'remember_login_cookie_lifetime' => 0, does not work?

chaos-prevails commented 7 years ago

no, unfortunately not. Checkbox stays. to remove the checkbox, see https://github.com/nextcloud/server/pull/1347#issuecomment-271861176

it would be easier if the checkbox is removed/hidden as soon as 'remember_login_cookie_lifetime' is set to 0

Wikinaut commented 7 years ago

The Disable Remember Login App appears to be not working with NC 12.0.0. I would also prefer what has been proposed here: add a configuration option to disable the check box on the login screen.

alve89 commented 7 years ago

This might be a security sensitive issue if users are authenticated against an external identity provider. So this feature is not only a nice-to-have but rather a must-have.

GitHubUser4234 commented 7 years ago

Yeah, since this commit removed the ability to disable the "Stay logged in" checkbox via the rememberlogin flag in the info.xml of an app, it looks like CSS / PHP hacking are the only option to disable it, that's really sad 😢

MorrisJobke commented 7 years ago

I don't really see the background of this one here. What use case should be solved by this? If the user clicks actively on a "remember me" checkbox maybe the intention of this user is to keep logged in. All that is solved by this is that an admin makes the live of a user more hard and pulls rights from the users. If an admin thinks that it's users are not smart enough to figure out that this may be a problem, then it's maybe better to not give the user an account at all.

Adding a feature flag here also doesn't help a lot for the maintenance of Nextcloud itself. If you really really really want to drop this option: then implement an app, that overwrites the CSS to hide this feature and overwrites the session variable that sets this flag in the PHP, but it is very unlikely that this will be implemented in the server itself, because we see this as a valuable feature and something that makes the life of our users a lot easier.

I will close this ticket here. Sorry for the inconvenience.

Wikinaut commented 7 years ago

@MorrisJobke There was (is) still an App for this, but it does not work any more (since about version 9 or 10 owncloud/nextcloud).

chaos-prevails commented 7 years ago

@MorrisJobke Many services also have minimum password requirements. These rules are there because many users would otherwise choose weak passwords. I think disabling the remember me checkbox would fall into the same category. It prevents users from saving login credentials on computers where they should normally be not saved

MariusBluem commented 7 years ago

Maybe somebody wants to add a checkbox for this into the password_policy-app?!

MorrisJobke commented 7 years ago

It prevents users from saving login credentials on computers where they should normally be not saved

That is the reason that this is disabled by default. If you fear this, then maybe set the session to a super short time span. I don't see, why completely disable that feature helps somebody.

@MorrisJobke There was (is) still an App for this, but it does not work any more (since about version 9 or 10 owncloud/nextcloud).

Yes, but this will not be implemented in the server in itself. It will always be in an app, because our goal at Nextcloud is to make live easier and not harder. And additionally it is quite unlikely that the server team itself will maintain this app. Somebody can implement this app and maintain it. That is the reason why I closed this ticket in the server repo, because this is the bug and feature tracker of the server component itself and not the feature tracker for all the app wishes out there.

We also need to somehow organise ourselves and dumping random feature wishes in it, that are better to be implemented in a separate app does not help us.

If the previous working app is broken, then report it to the maintainer of this app and not in the server.

Please keep this ticket closed. Thanks

Wikinaut commented 7 years ago

Then please remove the box fully: "Stay logged in". it is unsafe as such.

MorrisJobke commented 7 years ago

Then please remove the box fully: "Stay logged in". it is unsafe as such.

Then we should not run servers in the internet 😉 they are unsafe as such

Wikinaut commented 7 years ago

@LukasReschke Please tell Morris, that the box on the login page should be removed. It is unsafe to have the box, because when a user logs in in an Internet Café or so and clicks the box, the credentials are saved.

Wikinaut commented 7 years ago

@MorrisJobke

Then we should not run servers in the internet 😉 they are unsafe as such

Unsachliches Argument.

MorrisJobke commented 7 years ago

it is unsafe as such.

If this is the case, then most of companies in the internet business do it completely wrong. Sometimes you should not look at how other projects do it, but often it's quite good, to also think a bit more about it and not just randomly kill stuff.

@LukasReschke Please tell Morris, that the box on the login page should be removed. It is unsafe to have the box, because when a user logs in in an Internet Café or so and clicks the box, the credentials are saved.

There is an easy solution for this rare case: Just don't tick the box, which is the default scenario.

GitHubUser4234 commented 7 years ago

@MorrisJobke: There are use cases for this: In some projects (including ours), users are not allowed to use this feature for their own safety! Please give us the option back. Implementation-wise it doesn't look like much effort either?

MariusBluem commented 7 years ago

Please give us the option back.

A not longer maintained 3rdparty-app is nothing we have removed. It was the decision of the developer to not continue the development.

Implemetation-wise it doesn’t look like much effort either?

If you think so, I do not understand, why you don’t take the time to create an app (maybe based on https://apps.owncloud.com/content/show.php/Disable+Remember+Login?content=162551) and submit it in our App Store ... this is how open source works ;)

If you don’t know how this can be done, I cannot understand how you can say, that this would not cost much effort :)

ghost commented 7 years ago

@GitHubUser4234 @Wikinaut Use the app Custom CSS and hide the login checkbox (and other elements like the contacts menu). Problem solved.

https://apps.nextcloud.com/apps/theming_customcss https://github.com/juliushaertl/theming_customcss

GitHubUser4234 commented 7 years ago

@MariusBluem Wrong. Have a look again at my first comment above. Besides, we never used that third-party app before, but put the flag into a config of an own custom app which has a totally different purpose - not a nice solution, but still better than source code hacking. Being able to set the value in config.php would certainly be a much cleaner solution. So please try to be more constructive here.

@xraMsamohT Yep, that's what we did, but having to maintain and potentially update custom source code with every Nextcloud release is far from ideal. Agreeing with @alve89 in that regard.

GitHubUser4234 commented 7 years ago

@alve89 Aaaaargh, I accidentally deleted your comment, (combination of mobile phone and fat fingers), I'm really sorry, could you repost it? Thanks ~

alve89 commented 7 years ago

If you don't know how this can be done, I cannot understand how you can say, that this would not cost much effort

I can't see the point to make this available with an app - why not only with an option within the config? Because THIS wouldn't cost any effort to write one if-clause.

@MorrisJobke Of course you want to make the life of users more easy - but if admins please for this feature it shouldn't be ignored! A discussion helps the other side to see and understand the reasons - just ignoring it by closing the thread isn't that userfriendly. Every admin is free to make the remember function usable or not. If one wants to hide it for several reeasons he should be able to do this!

GitHubUser4234 commented 7 years ago

For some projects, data protection is really essential. It could be as critical as data you have in Online-Banking. It would be unimaginable to find a "Remember me?" checkbox for Online-Banking access, wouldn't it?

@LukasReschke Would be glad to hear your comment also :)

ChristophWurst commented 7 years ago

GitHubUser4234 deleted a comment from alve89 41 minutes ago

Again? 😮

alve89 commented 7 years ago

@ChristophWurst

No, it's still there. Fortunately. 😊

MorrisJobke commented 7 years ago

Just to say: This is only an enhancement ticket and nobody can guarantee, that this will implemented at all. Pull requests are obviously welcome. ;)

GitHubUser4234 commented 7 years ago

Just to say: This is only an enhancement ticket and nobody can guarantee, that this will implemented at all. Pull requests are obviously welcome. ;)

Thanks @MorrisJobke 👍 At least this opens a door to potential contributors, knowing that such enhancement would actually be accepted.

Hey guys, anyone having some spare resources to add the feature? For a start, one could probably have a look at this commit and rollback the changes, but instead of looking for the rememberlogin in an app's info.xml, one would simply lookup the flag in config.php.

rmsmgaspar commented 6 years ago

Hi, You can comment the lines with this info in the login page. Tested and worked.

wehkah commented 6 years ago

I am puzzled because no one has mentioned the obvious reason why this option ("remember me") should be removable from the login page: if users set this option and loose their devices, then any one who finds the devices will be able to access the clouded data as well. This might be just slightly embarrassing when it concerns personal data of an unprivileged user, but it becomes a security breach if it happens to a privileged user or even an (sub-)admin.

Wikinaut commented 6 years ago

@wehkah (my comment August 2017:) @LukasReschke Please tell Morris, that the box on the login page should be removed. It is unsafe to have the box, because when a user logs in in an Internet Café or so and clicks the box, the credentials are saved.

chaos-prevails commented 6 years ago

I agree with @Wikinaut and @wehkah : this is a security issue.

Nextcloud is advocating security and privacy. At the same time this checkbox can cause grave security implications.

First, my experience is, that unfortunately, many users choose the most convenient setup over time, even if it compromises security. There are password policies (length, complexity) for the same reasons: most users need compulsion.

Second, there are alternatives for a fast login, like keepass and other password managers. They auto-complete username+password in a heartbeat.

ChristophWurst commented 6 years ago

Second, there are alternatives for a fast login, like keepass and other password managers. They auto-complete username+password in a heartbeat.

Interesting that you're mentioning this in this context, where one claims that Nextcloud is insecure because of the remember-login feature.

@chaos-prevails would you be interested in working this? I could give you some pointers to get started - just let me know!

chaos-prevails commented 6 years ago

Hi @ChristophWurst ,

yes please give me some pointers. I assume the goal is to have the checkbox configurable via the config.inc.php file?

ChristophWurst commented 6 years ago

It should be easy to locate the corresponding test cases that have to be adapted and extended for this feature.

BloodyIron commented 6 years ago

There used to be an app for ownCloud that literally enabled you to disable the checkbox. What happened to that? I can't find the app any more now that I've moved to nextCloud D:

Wikinaut commented 6 years ago

@BloodyIron the app is not working since a long time - you cannot "disable" the remember setting with the app, I guess, this is why the app has been removed (for both owncloud and nextcloud).

BloodyIron commented 6 years ago

So how about we have this as a built-in feature then already?

GitHubUser4234 commented 4 years ago

If I'm not mistaken, "Remember Me" is now always enabled (see #9109), but according to #13747 it can be disabled by setting remember_login_cookie_lifetime to 0. Please correct me if I'm wrong, otherwise this can probably be closed.

CarlSchwan commented 2 years ago

The login view was ported to vue and there is no such checkbox anymore