ediazcomellas
commented
5 years ago I previously updated a core issue:
https://github.com/nextcloud/server/issues/11120
I will reproduce the key findings here:
So after several sessions of debug, we found lib/private/User/Session.php, line 680: function checkToken:
680 private function checkTokenCredentials(IToken $dbToken, $token) { 681 // Check whether login credentials are still valid and the user was not disabled 682 // This check is performed each 5 minutes 683 $lastCheck = $dbToken->getLastCheck() ? : 0; 684 $now = $this->timeFactory->getTime(); 685 if ($lastCheck > ($now - 60 * 5)) { 686 // Checked performed recently, nothing to do now 687 return true; 688 } 689 690 try { 691 $pwd = $this->tokenProvider->getPassword($dbToken, $token); 692 } catch (InvalidTokenException $ex) { 693 // An invalid token password was used -> log user out 694 return false; 695 } catch (PasswordlessTokenException $ex) { 696 // Token has no password 697 698 if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) { 699 $this->tokenProvider->invalidateToken($token); 700 return false; 701 } 702 703 $dbToken->setLastCheck($now); 704 return true; 705 }
Nextcloud is checking the password again after 5 minutes. Unfortunately, external_user must be missing something here, and the test always fails. As a result, the token is invalidated and the session must start again.
As a mitigation (in order to avoid user's rage) we have changed the time to 5000 minutes:
685 if ($lastCheck > ($now - 60 * 5000)) {
This is something we would rather don't do, as it opens the door to unsynced password problems.
violoncelloCH
ultreiac
Mannshoch
Steps to reproduce
Expected behaviour
User should be able to maintain the session open more than 5 minutes
Actual behaviour
Sessions are closed after 5 minutes
Affected Authentication backend
IMAP (at least)
Server configuration
0.6.1 Ubuntu 18.04 Apache Mariadb 7.0.33 Nextcloud 15.0.7 Updated from previous version