[NC29] TOTP skipped after session timeout #1563

GitHubUser4234 · 2024-09-19T11:10:25Z

Hi,

This looks like a bug but hopefully is a config issue or the likes. On a fresh NC29 install with twofactor_totp app enabled, the OTP screen is skipped when the user stops at the OTP screen and waits for the session to timeout. Please help, thank you.

Steps to reproduce

Login as a user with totp enabled.
Enter OTP on the OTP screen and access the "Files" page.
Click "Logout".
Login again as the same user.
Stay on the OTP screen (URL ../server/index.php/login/challenge/totp) until the session expires.
Refresh the page. The user is logged in and can view the "Files" page etc...

Expected behaviour

The user should be forced to login again

Actual behaviour

User is logged in, OTP is skipped

Server configuration

Operating system:
RHEL 8

Web server:
Apache 2.4

Database:
MySQL

PHP version:
PHP 8.3

Version: (see admin page)
NC 29.0.7.1

Updated from an older version or fresh install:

List of activated apps:


 - activity: 2.21.1
  - admin_audit: 1.19.0
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - files: 2.1.1
  - files_downloadlimit: 2.0.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - notifications: 2.17.0
  - oauth2: 1.17.1
  - provisioning_api: 1.19.0
  - related_resources: 1.4.0
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - support: 1.12.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - twofactor_totp: 11.0.0-dev
  - user_ldap: 1.20.0
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - workflowengine: 2.11.0

The content of config/config.php:

<?php
$CONFIG = array (
  'instanceid' => 'xxxx',
  'passwordsalt' => 'xxxx',
  'secret' => 'xxxx',
  'trusted_domains' =>
  array (
    0 => 'xxxx',
  ),
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => true,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'xxxx',
    'port' => xxxx,
    'timeout' => 0,
  ),
  'datadirectory' => 'xxxx',
  'dbtype' => 'mysql',
  'version' => '29.0.7.1',
  'dbname' => 'xxxx',
  'dbhost' => 'xxxx',
  'dbport' => 'xxxx',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'xxxx',
  'dbpassword' => 'xxxx',
  'logtimezone' => 'xxxx',
  'installed' => true,
  'loglevel' => 0,
  'updatechecker' => false,
  'has_internet_connection' => false,
  'appstoreenabled' => false,
  'mail_smtpmode' => 'smtp',
  'mail_smtphost' => 'xxxx',
  'mail_from_address' => 'xxxx',
  'mail_domain' => 'xxxx',
  'mail_smtpport' => 'xxxx',
  'mail_smtpsecure' => 'tls',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'theme' => 'fis',
  'maintenance' => false,
  'trusted_proxies' =>
  array (
    0 => 'xxxx',
  ),
  'session_lifetime' => 1800,
  'session_keepalive' => false,
  'remember_login_cookie_lifetime' => 0,
  'singleuser' => false,
  'mysql.utf8mb4' => true,
  'cron_log' => true,
  'logfile' => 'xxxx',
  'overwrite.cli.url' => 'xxxx',
  'enable_previews' => false,
  'auth.bruteforce.protection.enabled' => false,
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
  'logfile_audit' => 'xxxx',
);

Client configuration

Browser:
Firefox

Operating system:
Windows 11

Logs

Web server error log

xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx - - [19/Sep/2024:11:58:54 +0800] "GET /server/index.php/login/challenge/totp HTTP/1.1" 303 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0" 2040364
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx - - [19/Sep/2024:11:58:56 +0800] "GET /server/index.php/apps/files/ HTTP/1.1" 200 11006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0" 1083888
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx - - [19/Sep/2024:11:58:57 +0800] "GET /server/dist/core-common.js?v=8d4b5830-14 HTTP/1.1" 200 5045480 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0" 13967
...

Server log (data/nextcloud.log)

{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"no app in context","method":"GET","url":"/server/index.php/login/challenge/totp","message":"The loading of lazy AppConfig values have been requested","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","exception":{"Exception":"RuntimeException","Message":"ignorable exception","Code":0,"Trace":[{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppConfig.php","line":1208,"function":"loadConfig","class":"OC\\AppConfig","type":"->","args":[null]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppConfig.php","line":127,"function":"loadConfigAll","class":"OC\\AppConfig","type":"->","args":[]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AllConfig.php","line":196,"function":"getKeys","class":"OC\\AppConfig","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/Helper.php","line":133,"function":"getAppKeys","class":"OC\\AllConfig","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/Helper.php","line":74,"function":"getServersConfig","class":"OCA\\User_LDAP\\Helper","type":"->","args":["ldap_configuration_active"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":133,"function":"getServerConfigurationPrefixes","class":"OCA\\User_LDAP\\Helper","type":"->","args":[true]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppFramework/Bootstrap/FunctionInjector.php","line":45,"function":"OCA\\User_LDAP\\AppInfo\\{closure}","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppFramework/Bootstrap/BootContext.php","line":50,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\FunctionInjector","type":"->","args":[["Closure"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":124,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\BootContext","type":"->","args":[["Closure"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppFramework/Bootstrap/Coordinator.php","line":200,"function":"boot","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->","args":[["OC\\AppFramework\\Bootstrap\\BootContext"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/App/AppManager.php","line":437,"function":"bootApp","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/App/AppManager.php","line":216,"function":"loadApp","class":"OC\\App\\AppManager","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/legacy/OC_App.php","line":128,"function":"loadApps","class":"OC\\App\\AppManager","type":"->","args":[["authentication"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/base.php","line":1030,"function":"loadApps","class":"OC_App","type":"::","args":[["authentication"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppConfig.php","Line":1222,"message":"The loading of lazy AppConfig values have been requested","exception":{},"CustomMessage":"The loading of lazy AppConfig values have been requested"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_explode_dn with parameters [\"xxxxx\",0]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_connect with parameters [\"ldaps:\\/\\/10.123.60.11:20636\"]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_set_option with parameters [{},17,3]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_set_option with parameters [{},8,0]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_set_option with parameters [{},20485,\"15\"]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_bind with parameters [{},\"uid=xxxxxxx,ou=xxxx,o=xxxx\",\"***REMOVED SENSITIVE VALUE***\"]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_read with parameters [{},\"uid=xxxxx,ou=xxxx,ou=xxxx,o=xxxx\",\"(|(objectclass=inetOrgPerson))\",[\"\"],0,-1]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:54+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_count_entries with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"--","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"readAttribute: uid=xxxxx,ou=xxxx,ou=xxxx,o=xxxx found","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":1,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"OCA\\User_LDAP\\LoginListener \u2013 xxxxx postLogin","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"initializing paged search for filter objectclass=*, base uid=xxxxx,ou=xxxx,ou=xxxx,o=xxxx, attr [\"pwdpolicysubentry\",\"pwdgraceusetime\",\"pwdreset\",\"pwdchangedtime\"], pageSize 5003, offset 0","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Ready for a paged search","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_search with parameters [{},\"uid=xxxxx,ou=xxxx,ou=xxxx,o=xxxx\",\"objectclass=*\",[\"pwdpolicysubentry\",\"pwdgraceusetime\",\"pwdreset\",\"pwdchangedtime\"],0,0,-1,0,[{\"oid\":\"1.2.840.113556.1.4.319\",\"value\":{\"size\":5003,\"cookie\":\"\"},\"iscritical\":false}]]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_errno with parameters [{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_get_entries with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_parse_result with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"initializing paged search for filter objectclass=*, base cn=default,ou=policies,ou=xxxx,o=xxxx, attr [\"pwdgraceauthnlimit\",\"pwdmaxage\",\"pwdexpirewarning\"], pageSize 5003, offset 0","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Ready for a paged search","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_search with parameters [{},\"cn=default,ou=policies,ou=xxxx,o=xxxx\",\"objectclass=*\",[\"pwdgraceauthnlimit\",\"pwdmaxage\",\"pwdexpirewarning\"],0,0,-1,0,[{\"oid\":\"1.2.840.113556.1.4.319\",\"value\":{\"size\":5003,\"cookie\":\"\"},\"iscritical\":false}]]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_errno with parameters [{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_get_entries with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_parse_result with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_read with parameters [{},\"uid=xxxxx,ou=xxxx,ou=xxxx,o=xxxx\",\"objectClass=*\",[\"displayname\"],0,-1]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_first_entry with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_get_attributes with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"initializing paged search for filter (&(|(objectclass=inetOrgPerson))(uid=xxxxx)), base ou=xxxx,ou=xxxx,o=xxxx, attr [\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"], pageSize 5003, offset 0","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Ready for a paged search","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:55+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_search with parameters [{},\"ou=xxxx,ou=xxxx,o=xxxx\",\"(&(|(objectclass=inetOrgPerson))(uid=xxxxx))\",[\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"],0,0,-1,0,[{\"oid\":\"1.2.840.113556.1.4.319\",\"value\":{\"size\":5003,\"cookie\":\"\"},\"iscritical\":false}]]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_errno with parameters [{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_get_entries with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_parse_result with parameters [{},{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_connect with parameters [\"ldaps:\\/\\/10.123.60.11:20636\"]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_set_option with parameters [{},17,3]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_set_option with parameters [{},8,0]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_set_option with parameters [{},20485,\"15\"]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_bind with parameters [{},\"uid=xxxxx,ou=xxxx,ou=xxxx,o=xxxx\",\"***REMOVED SENSITIVE VALUE***\"]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"profile data from LDAP unchanged","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap","uid":"xxxxx"}}
{"reqId":"ZuwD7qNz3Qj9a4DzD42kVQAAAIQ","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/login/challenge/totp","message":"Calling LDAP function ldap_unbind with parameters [{}]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD8KNz3Qj9a4DzD42kWgAAAIs","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"no app in context","method":"GET","url":"/server/index.php/apps/files/","message":"The loading of lazy AppConfig values have been requested","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","exception":{"Exception":"RuntimeException","Message":"ignorable exception","Code":0,"Trace":[{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppConfig.php","line":1208,"function":"loadConfig","class":"OC\\AppConfig","type":"->","args":[null]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppConfig.php","line":127,"function":"loadConfigAll","class":"OC\\AppConfig","type":"->","args":[]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AllConfig.php","line":196,"function":"getKeys","class":"OC\\AppConfig","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/Helper.php","line":133,"function":"getAppKeys","class":"OC\\AllConfig","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/Helper.php","line":74,"function":"getServersConfig","class":"OCA\\User_LDAP\\Helper","type":"->","args":["ldap_configuration_active"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":133,"function":"getServerConfigurationPrefixes","class":"OCA\\User_LDAP\\Helper","type":"->","args":[true]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppFramework/Bootstrap/FunctionInjector.php","line":45,"function":"OCA\\User_LDAP\\AppInfo\\{closure}","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppFramework/Bootstrap/BootContext.php","line":50,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\FunctionInjector","type":"->","args":[["Closure"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":124,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\BootContext","type":"->","args":[["Closure"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppFramework/Bootstrap/Coordinator.php","line":200,"function":"boot","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->","args":[["OC\\AppFramework\\Bootstrap\\BootContext"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/App/AppManager.php","line":437,"function":"bootApp","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/App/AppManager.php","line":216,"function":"loadApp","class":"OC\\App\\AppManager","type":"->","args":["user_ldap"]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/legacy/OC_App.php","line":128,"function":"loadApps","class":"OC\\App\\AppManager","type":"->","args":[["authentication"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/base.php","line":1030,"function":"loadApps","class":"OC_App","type":"::","args":[["authentication"]]},{"file":"/cs-csfis/home/csfis00s11/www/nextcloud/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/cs-csfis/home/csfis00s11/www/nextcloud/lib/private/AppConfig.php","Line":1222,"message":"The loading of lazy AppConfig values have been requested","exception":{},"CustomMessage":"The loading of lazy AppConfig values have been requested"}}
{"reqId":"ZuwD8KNz3Qj9a4DzD42kWgAAAIs","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/apps/files/","message":"Calling LDAP function ldap_explode_dn with parameters [\"xxxxx\",0]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
{"reqId":"ZuwD8KNz3Qj9a4DzD42kWgAAAIs","level":0,"time":"2024-09-19T11:58:56+08:00","remoteAddr":"xxx.xxx.xxx.xxx","user":"xxxxx","app":"user_ldap","method":"GET","url":"/server/index.php/apps/files/","message":"Count filter: (&(|(objectclass=inetOrgPerson))(displayname=*))","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0","version":"29.0.7.1","data":{"app":"user_ldap"}}
...

The text was updated successfully, but these errors were encountered:

ChristophWurst · 2024-09-30T10:14:32Z

Hi @GitHubUser4234! Thank you for the report. I was not able to reproduce. Even with lost session data, I need to pass the 2FA screen before Nextcloud allows me to access my account.

GitHubUser4234 · 2024-10-01T06:43:20Z

Hi @GitHubUser4234! Thank you for the report. I was not able to reproduce. Even with lost session data, I need to pass the 2FA screen before Nextcloud allows me to access my account.

Hm, have you tried the above settings, in particular:

  'session_lifetime' => 1800,
  'session_keepalive' => false,
  'remember_login_cookie_lifetime' => 0,

And also waited for the session timeout rather than deleting cookies?

ChristophWurst · 2024-10-15T09:38:56Z

Thank you for the pointers. I tried with the updated instructions but came to the result that I was just logged out after the session expiry. After the page reload I saw the login page.

GitHubUser4234 · 2024-10-15T14:43:24Z

Hi @ChristophWurst,

Further testing came up with the following finding:

If only the session_lifetime in config.php has timed out, but the session.gc_maxlifetime in php.ini has NOT timeout, then the login page is shown as normal. BUT if the session.gc_maxlifetime in php.ini has also expired, then the user is logged in after refreshing the TOTP screen. For fast testing, please try these settings:

in config.php:

'session_lifetime' => 10,
'session_keepalive' => false,
'remember_login_cookie_lifetime' => 0,

in php.ini:
session.gc_maxlifetime=15

Then refresh the TOTP screen after >20seconds.

Thanks!

ChristophWurst · 2024-10-16T07:58:37Z

I've tried again and followed the instructions closely. I'm still always logged out. I've tried both a git checkout of the Nextcloud sources and https://hub.docker.com/_/nextcloud.

How did you set up Nextcloud?

GitHubUser4234 · 2024-10-21T07:31:57Z

I'm still always logged out.

Really odd, there must be some difference then, hm...

How did you set up Nextcloud?

By installing https://download.nextcloud.com/server/releases/latest-29.tar.bz2

ChristophWurst · 2025-02-28T08:14:43Z

@GitHubUser4234 are you still able to reproduce this?

GitHubUser4234 · 2025-02-28T11:37:47Z

Yes, it unfortunately is still an issue. Here is a debug log of what happens when the page is refreshed after the timeout and the OTP screen is skipped:

ChristophWurst · 2025-03-10T09:07:36Z

Thank you. I have tried another time with Nextcloud 29.0.12 using the Docker image

docker pull nextcloud:29.0.12
docker run -d --name totp1563 -p 8080:80 nextcloud:29.0.12
Open https://localhost:8080 and complete the setup for admin:admin
docker exec -it totp1563 /bin/bash to attach a shell to the container
- update update && apt install vim
- vim config/config.php -> add the three options from [NC29] TOTP skipped after session timeout #1563 (comment)
- vim /usr/local/etc/php/php.ini-production -> change gc_maxlifetime
docker container stop totp1563
docker container start totp1563
Open https://localhost:8080 and enable twofactor_totp, navigate to personal security settings and set it up
Log out
Log in entering the password
Wait 30 seconds
Reload the page -> logged out

@GitHubUser4234 would you be able to try my steps just to see if I did something "wrong"? If that still doesn't give us the same results I suggest we have a short screensharing call to walk through the process.

Edit: I would also like to know if 29.0.7 vs 29.0.12 makes a difference for you.

GitHubUser4234 · 2025-03-22T11:24:45Z

Hi @ChristophWurst ,

The decisive config has been found, it's when Nextcloud and PHP are configured with Redis and the following config is added to php.ini (which is valid according to according to #13148):

extension=<path to php config folder>/extensions/redis.so
session.save_handler = redis
session.save_path    = tcp://<redis host>:<redis port>

Could you try this out? It happens with Nextcloud 29.0.14 as well. Thanks.

ChristophWurst self-assigned this Sep 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[NC29] TOTP skipped after session timeout #1563

[NC29] TOTP skipped after session timeout #1563

GitHubUser4234 commented Sep 19, 2024

ChristophWurst commented Sep 30, 2024

GitHubUser4234 commented Oct 1, 2024

ChristophWurst commented Oct 15, 2024

GitHubUser4234 commented Oct 15, 2024 •

edited

Loading

ChristophWurst commented Oct 16, 2024

GitHubUser4234 commented Oct 21, 2024

ChristophWurst commented Feb 28, 2025

GitHubUser4234 commented Feb 28, 2025 •

edited

Loading

ChristophWurst commented Mar 10, 2025 •

edited

Loading

GitHubUser4234 commented Mar 22, 2025 •

edited

Loading

[NC29] TOTP skipped after session timeout #1563

[NC29] TOTP skipped after session timeout #1563

Comments

GitHubUser4234 commented Sep 19, 2024

Steps to reproduce

Expected behaviour

Actual behaviour

Server configuration

Client configuration

Logs

Web server error log

Server log (data/nextcloud.log)

ChristophWurst commented Sep 30, 2024

GitHubUser4234 commented Oct 1, 2024

ChristophWurst commented Oct 15, 2024

GitHubUser4234 commented Oct 15, 2024 • edited Loading

ChristophWurst commented Oct 16, 2024

GitHubUser4234 commented Oct 21, 2024

ChristophWurst commented Feb 28, 2025

GitHubUser4234 commented Feb 28, 2025 • edited Loading

ChristophWurst commented Mar 10, 2025 • edited Loading

GitHubUser4234 commented Mar 22, 2025 • edited Loading

GitHubUser4234 commented Oct 15, 2024 •

edited

Loading

GitHubUser4234 commented Feb 28, 2025 •

edited

Loading

ChristophWurst commented Mar 10, 2025 •

edited

Loading

GitHubUser4234 commented Mar 22, 2025 •

edited

Loading