search

nextcloud / twofactor_totp

🔑 Second factor TOTP (RFC 6238) provider for Nextcloud
https://apps.nextcloud.com/apps/twofactor_totp
GNU Affero General Public License v3.0
294 stars 56 forks source link

[NC29] TOTP skipped after session timeout #1563

Open GitHubUser4234 opened 2 months ago

GitHubUser4234 commented 2 months ago

Hi,

This looks like a bug but hopefully is a config issue or the likes. On a fresh NC29 install with twofactor_totp app enabled, the OTP screen is skipped when the user stops at the OTP screen and waits for the session to timeout. Please help, thank you.

Steps to reproduce

  1. Login as a user with totp enabled.
  2. Enter OTP on the OTP screen and access the "Files" page.
  3. Click "Logout".
  4. Login again as the same user.
  5. Stay on the OTP screen (URL ../server/index.php/login/challenge/totp) until the session expires.
  6. Refresh the page. The user is logged in and can view the "Files" page etc...

Expected behaviour

The user should be forced to login again

Actual behaviour

User is logged in, OTP is skipped

Server configuration

Operating system: RHEL 8

Web server: Apache 2.4

Database: MySQL

PHP version: PHP 8.3

Version: (see admin page) NC 29.0.7.1

Updated from an older version or fresh install:

List of activated apps:


 - activity: 2.21.1
  - admin_audit: 1.19.0
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - files: 2.1.1
  - files_downloadlimit: 2.0.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - notifications: 2.17.0
  - oauth2: 1.17.1
  - provisioning_api: 1.19.0
  - related_resources: 1.4.0
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - support: 1.12.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - twofactor_totp: 11.0.0-dev
  - user_ldap: 1.20.0
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - workflowengine: 2.11.0

The content of config/config.php:

<?php
$CONFIG = array (
  'instanceid' => 'xxxx',
  'passwordsalt' => 'xxxx',
  'secret' => 'xxxx',
  'trusted_domains' =>
  array (
    0 => 'xxxx',
  ),
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => true,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'xxxx',
    'port' => xxxx,
    'timeout' => 0,
  ),
  'datadirectory' => 'xxxx',
  'dbtype' => 'mysql',
  'version' => '29.0.7.1',
  'dbname' => 'xxxx',
  'dbhost' => 'xxxx',
  'dbport' => 'xxxx',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'xxxx',
  'dbpassword' => 'xxxx',
  'logtimezone' => 'xxxx',
  'installed' => true,
  'loglevel' => 0,
  'updatechecker' => false,
  'has_internet_connection' => false,
  'appstoreenabled' => false,
  'mail_smtpmode' => 'smtp',
  'mail_smtphost' => 'xxxx',
  'mail_from_address' => 'xxxx',
  'mail_domain' => 'xxxx',
  'mail_smtpport' => 'xxxx',
  'mail_smtpsecure' => 'tls',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'theme' => 'fis',
  'maintenance' => false,
  'trusted_proxies' =>
  array (
    0 => 'xxxx',
  ),
  'session_lifetime' => 1800,
  'session_keepalive' => false,
  'remember_login_cookie_lifetime' => 0,
  'singleuser' => false,
  'mysql.utf8mb4' => true,
  'cron_log' => true,
  'logfile' => 'xxxx',
  'overwrite.cli.url' => 'xxxx',
  'enable_previews' => false,
  'auth.bruteforce.protection.enabled' => false,
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
  'logfile_audit' => 'xxxx',
);

Client configuration

Browser: Firefox

Operating system: Windows 11

Logs

Web server error log
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx - - [19/Sep/2024:11:58:54 +0800] "GET /server/index.php/login/challenge/totp HTTP/1.1" 303 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0" 2040364
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx - - [19/Sep/2024:11:58:56 +0800] "GET /server/index.php/apps/files/ HTTP/1.1" 200 11006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0" 1083888
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx - - [19/Sep/2024:11:58:57 +0800] "GET /server/dist/core-common.js?v=8d4b5830-14 HTTP/1.1" 200 5045480 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0" 13967
...
Server log (data/nextcloud.log)
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"no app in context","method":"GET","url":"/server/index.php/login/challenge/totp","message":"The loading of lazy AppConfig values have been requested","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","exception":{"Exception":"RuntimeException","Message":"ignorable exception","Code":0,"Trace":[{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppConfig.php","line":1208,"function":"loadConfig","class":"OC\\AppConfig","type":"->","args":[null]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppConfig.php","line":127,"function":"loadConfigAll","class":"OC\\AppConfig","type":"->","args":[]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AllConfig.php","line":196,"function":"getKeys","class":"OC\\AppConfig","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/Helper.php","line":133,"function":"getAppKeys","class":"OC\\AllConfig","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/Helper.php","line":74,"function":"getServersConfig","class":"OCA\\User_LDAP\\Helper","type":"->","args":["ldap_configuration_active"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":133,"function":"getServerConfigurationPrefixes","class":"OCA\\User_LDAP\\Helper","type":"->","args":[true]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppFramework/Bootstrap/FunctionInjector.php","line":45,"function":"OCA\\User_LDAP\\AppInfo\\{closure}","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppFramework/Bootstrap/BootContext.php","line":50,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\FunctionInjector","type":"->","args":[["Closure"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":124,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\BootContext","type":"->","args":[["Closure"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppFramework/Bootstrap/Coordinator.php","line":200,"function":"boot","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->","args":[["OC\\AppFramework\\Bootstrap\\BootContext"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/App/AppManager.php","line":437,"function":"bootApp","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/App/AppManager.php","line":216,"function":"loadApp","class":"OC\\App\\AppManager","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/legacy/OC_App.php","line":128,"function":"loadApps","class":"OC\\App\\AppManager","type":"->","args":[["authentication"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/base.php","line":1030,"function":"loadApps","class":"OC_App","type":"::","args":[["authentication"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppConfig.php","Line":1222,"message":"The loading of lazy AppConfig values have been requested","exception":{},"CustomMessage":"The loading of lazy AppConfig values have been requested"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_explode_dn with parameters [\"xxxxx\",0]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_connect with parameters [\"ldaps:\\/\\/10.123.60.11:20636\"]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_set_option with parameters [{},17,3]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_set_option with parameters [{},8,0]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_set_option with parameters [{},20485,\"15\"]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_bind with parameters [{},\"uid=xxxxxxx,ou=xxxx,o=xxxx\",\"***REMOVED SENSITIVE VALUE***\"]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_read with parameters [{},\"uid=xxxxx,ou=xxxx,ou=xxxx,o=xxxx\",\"(|(objectclass=inetOrgPerson))\",[\"\"],0,-1]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_count_entries with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"readAttribute: uid=xxxxx,ou=xxxx,ou=xxxx,o=xxxx found","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":1,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"OCA\\User_LDAP\\LoginListener \u2013 xxxxx postLogin","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"initializing paged search for filter objectclass=*, base uid=xxxxx,ou=xxxx,ou=xxxx,o=xxxx, attr [\"pwdpolicysubentry\",\"pwdgraceusetime\",\"pwdreset\",\"pwdchangedtime\"], pageSize 5003, offset 0","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Ready for a paged search","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_search with parameters [{},\"uid=xxxxx,ou=xxxx,ou=xxxx,o=xxxx\",\"objectclass=*\",[\"pwdpolicysubentry\",\"pwdgraceusetime\",\"pwdreset\",\"pwdchangedtime\"],0,0,-1,0,[{\"oid\":\"1.2.840.113556.1.4.319\",\"value\":{\"size\":5003,\"cookie\":\"\"},\"iscritical\":false}]]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_errno with parameters [{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_get_entries with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_parse_result with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"initializing paged search for filter objectclass=*, base cn=default,ou=policies,ou=xxxx,o=xxxx, attr [\"pwdgraceauthnlimit\",\"pwdmaxage\",\"pwdexpirewarning\"], pageSize 5003, offset 0","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Ready for a paged search","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_search with parameters [{},\"cn=default,ou=policies,ou=xxxx,o=xxxx\",\"objectclass=*\",[\"pwdgraceauthnlimit\",\"pwdmaxage\",\"pwdexpirewarning\"],0,0,-1,0,[{\"oid\":\"1.2.840.113556.1.4.319\",\"value\":{\"size\":5003,\"cookie\":\"\"},\"iscritical\":false}]]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_errno with parameters [{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_get_entries with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_parse_result with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_read with parameters [{},\"uid=xxxxx,ou=xxxx,ou=xxxx,o=xxxx\",\"objectClass=*\",[\"displayname\"],0,-1]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_first_entry with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_get_attributes with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"initializing paged search for filter (&(|(objectclass=inetOrgPerson))(uid=xxxxx)), base ou=xxxx,ou=xxxx,o=xxxx, attr [\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"], pageSize 5003, offset 0","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Ready for a paged search","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_search with parameters [{},\"ou=xxxx,ou=xxxx,o=xxxx\",\"(&(|(objectclass=inetOrgPerson))(uid=xxxxx))\",[\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"],0,0,-1,0,[{\"oid\":\"1.2.840.113556.1.4.319\",\"value\":{\"size\":5003,\"cookie\":\"\"},\"iscritical\":false}]]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_errno with parameters [{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_get_entries with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_parse_result with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_connect with parameters [\"ldaps:\\/\\/10.123.60.11:20636\"]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_set_option with parameters [{},17,3]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_set_option with parameters [{},8,0]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_set_option with parameters [{},20485,\"15\"]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_bind with parameters [{},\"uid=xxxxx,ou=xxxx,ou=xxxx,o=xxxx\",\"***REMOVED SENSITIVE VALUE***\"]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"profile data from LDAP unchanged","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap","uid":"xxxxx"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_unbind with parameters [{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD8KNz3Qj9a4DzD42kWgAAAIs","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"no app in context","method":"GET","url":"/server/index.php/apps/files/","message":"The loading of lazy AppConfig values have been requested","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","exception":{"Exception":"RuntimeException","Message":"ignorable exception","Code":0,"Trace":[{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppConfig.php","line":1208,"function":"loadConfig","class":"OC\\AppConfig","type":"->","args":[null]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppConfig.php","line":127,"function":"loadConfigAll","class":"OC\\AppConfig","type":"->","args":[]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AllConfig.php","line":196,"function":"getKeys","class":"OC\\AppConfig","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/Helper.php","line":133,"function":"getAppKeys","class":"OC\\AllConfig","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/Helper.php","line":74,"function":"getServersConfig","class":"OCA\\User_LDAP\\Helper","type":"->","args":["ldap_configuration_active"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":133,"function":"getServerConfigurationPrefixes","class":"OCA\\User_LDAP\\Helper","type":"->","args":[true]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppFramework/Bootstrap/FunctionInjector.php","line":45,"function":"OCA\\User_LDAP\\AppInfo\\{closure}","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppFramework/Bootstrap/BootContext.php","line":50,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\FunctionInjector","type":"->","args":[["Closure"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":124,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\BootContext","type":"->","args":[["Closure"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppFramework/Bootstrap/Coordinator.php","line":200,"function":"boot","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->","args":[["OC\\AppFramework\\Bootstrap\\BootContext"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/App/AppManager.php","line":437,"function":"bootApp","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/App/AppManager.php","line":216,"function":"loadApp","class":"OC\\App\\AppManager","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/legacy/OC_App.php","line":128,"function":"loadApps","class":"OC\\App\\AppManager","type":"->","args":[["authentication"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/base.php","line":1030,"function":"loadApps","class":"OC_App","type":"::","args":[["authentication"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppConfig.php","Line":1222,"message":"The loading of lazy AppConfig values have been requested","exception":{},"CustomMessage":"The loading of lazy AppConfig values have been requested"}}
{"reqId":"ZuwD8KNz3Qj9a4DzD42kWgAAAIs","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/apps/files/","message":"Calling LDAP function ldap_explode_dn with parameters [\"xxxxx\",0]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD8KNz3Qj9a4DzD42kWgAAAIs","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/apps/files/","message":"Count filter: (&(|(objectclass=inetOrgPerson))(displayname=*))","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
...
ChristophWurst commented 1 month ago

Hi @GitHubUser4234! Thank you for the report. I was not able to reproduce. Even with lost session data, I need to pass the 2FA screen before Nextcloud allows me to access my account.

GitHubUser4234 commented 1 month ago

Hi @GitHubUser4234! Thank you for the report. I was not able to reproduce. Even with lost session data, I need to pass the 2FA screen before Nextcloud allows me to access my account.

Hm, have you tried the above settings, in particular:

  'session_lifetime' => 1800,
  'session_keepalive' => false,
  'remember_login_cookie_lifetime' => 0,

And also waited for the session timeout rather than deleting cookies?

ChristophWurst commented 1 month ago

Thank you for the pointers. I tried with the updated instructions but came to the result that I was just logged out after the session expiry. After the page reload I saw the login page.

GitHubUser4234 commented 1 month ago

Hi @ChristophWurst,

Further testing came up with the following finding:

If only the session_lifetime in config.php has timed out, but the session.gc_maxlifetime in php.ini has NOT timeout, then the login page is shown as normal. BUT if the session.gc_maxlifetime in php.ini has also expired, then the user is logged in after refreshing the TOTP screen. For fast testing, please try these settings:

in config.php:

'session_lifetime' => 10,
'session_keepalive' => false,
'remember_login_cookie_lifetime' => 0,

in php.ini: session.gc_maxlifetime=15

Then refresh the TOTP screen after >20seconds.

Thanks!

ChristophWurst commented 1 month ago

I've tried again and followed the instructions closely. I'm still always logged out. I've tried both a git checkout of the Nextcloud sources and https://hub.docker.com/_/nextcloud.

How did you set up Nextcloud?

GitHubUser4234 commented 1 month ago

I'm still always logged out.

Really odd, there must be some difference then, hm...

How did you set up Nextcloud?

By installing https://download.nextcloud.com/server/releases/latest-29.tar.bz2