Tried to log in "user" but could not verify token

[smart7324]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

As soon as I open Nextcloud in a new tab, I get redirected to login page and have to login again. Then always the first login fails/nothing happens, so I have to login twice. I am seeing lots of "Tried to log in "user" but could not verify token" errors in log.

It is only happening on Safari (macOS, iOS, iPadOS), tried several versions, also did a clean install of Nextcloud 26 and still the same. Also tried with another user account on a different Mac.

At first I thought it could be related to #33919, but it doesn't seem to be the case. I really spent many hours in trying to get this fixed, but I have no clue, why it is not working.

Steps to reproduce

1. Login to Nextcloud in Safari
2. Open another tab and open Nextcloud (alternatively close browser and open it again)
3. You will be redirected to login page and the message "Tried to log in "user" but could not verify token" is in log file.

Expected behavior

The user should still be logged in and not be redirected to login page.

Installation method

Community Manual installation with Archive

Nextcloud Server version

26

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.1

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "26.0.0.11",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "csrf.disabled": true,
        "integrity.check.disabled": true,
        "logfile": "\/var\/www\/cloud\/data\/nextcloud.log",
        "loglevel": 4,
        "enable_previews": true,
        "remember_login_cookie_lifetime": 31536000,
        "session_lifetime": 31536000,
        "session_relaxed_expiry": true,
        "session_keepalive": true,
        "simpleSignUpLink.shown": false,
        "htaccess.IgnoreFrontController": true,
        "default_phone_region": "DE",
        "default_language": "de",
        "force_language": "de",
        "theme": "***REMOVED SENSITIVE VALUE***",
        "defaultapp": "files",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "updater.release.channel": "stable"
    }
}

List of activated Apps

Enabled:
  - cloud_federation_api: 1.9.0
  - comments: 1.16.0
  - dav: 1.25.0
  - federatedfilesharing: 1.16.0
  - files: 1.21.1
  - files_pdfviewer: 2.7.0
  - files_rightclick: 1.5.0
  - files_sharing: 1.18.0
  - files_versions: 1.19.1
  - logreader: 2.11.0
  - lookup_server_connector: 1.14.0
  - notes: 4.7.2
  - notifications: 2.14.0
  - oauth2: 1.14.0
  - password_policy: 1.16.0
  - provisioning_api: 1.16.0
  - related_resources: 1.1.0-alpha1
  - settings: 1.8.0
  - sharebymail: 1.16.0
  - systemtags: 1.16.0
  - theming: 2.1.1
  - theming_customcss: 1.13.0
  - twofactor_backupcodes: 1.15.0
  - updatenotification: 1.16.0
  - viewer: 1.10.0
  - workflowengine: 2.8.0
Disabled:
  - activity: 2.18.0 (installed 2.14.3)
  - admin_audit: 1.16.0
  - bruteforcesettings: 2.6.0 (installed 2.3.0)
  - circles: 26.0.0 (installed 26.0.0)
  - contactsinteraction: 1.7.0 (installed 1.7.0)
  - dashboard: 7.6.0 (installed 7.1.0)
  - encryption: 2.14.0
  - extract: 1.3.5 (installed 1.3.5)
  - federation: 1.16.0 (installed 1.16.0)
  - files_external: 1.18.0
  - files_texteditor: 2.15.0 (installed 2.15.0)
  - files_trashbin: 1.16.0 (installed 1.11.0)
  - firstrunwizard: 2.15.0 (installed 2.15.0)
  - nextcloud_announcements: 1.15.0 (installed 1.15.0)
  - photos: 2.2.0 (installed 1.3.0)
  - privacy: 1.10.0 (installed 1.10.0)
  - recommendations: 1.5.0 (installed 1.0.0)
  - serverinfo: 1.16.0 (installed 1.12.0)
  - support: 1.9.0 (installed 1.9.0)
  - survey_client: 1.14.0 (installed 1.9.0)
  - suspicious_login: 4.4.0
  - text: 3.7.2 (installed 3.3.0)
  - twofactor_totp: 8.0.0-alpha.0
  - user_ldap: 1.16.0
  - user_status: 1.6.0 (installed 1.1.1)
  - weather_status: 1.6.0 (installed 1.1.0)

Nextcloud Signing status

No response

Nextcloud Logs

{"reqId":"***REMOVED SENSITIVE VALUE***","level":1,"time":"2023-03-30T11:50:23+00:00","remoteAddr":"***REMOVED SENSITIVE VALUE***","user":"--","app":"core","method":"GET","url":"/login","message":"Tried to log in user but could not verify token","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.4 Safari/605.1.15","version":"26.0.0.11","data":{"app":"core"}}

Additional info

No response

[TheCrimsonLady]

I also had this issue today and I could only fix it with a database maintenance run (command below).
my environment infos:

root@Nextcloud:# apache2 -v
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2023-03-08T17:32:54
root@Nextcloud:# php --version
PHP 8.1.17 (cli) (built: Mar 16 2023 14:38:17) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.17, Copyright (c) Zend Technologies
with Zend OPcache v8.1.17, Copyright (c), by Zend Technologies
root@Nextcloud:# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal
root@Nextcloud:# cat /var/www/nextcloud/version.php
$OC_Version = array(26,0,0,11);
$OC_VersionString = '26.0.0';
$OC_Edition = '';
$OC_Channel = 'stable';
$OC_VersionCanBeUpgradedFrom = array (
'nextcloud' =>
array (
'25.0' => true,
'26.0' => true,
),
'owncloud' =>
array (
'10.11' => true,
),
);
$OC_Build = '2023-03-21T09:23:03+00:00 62cfd3b';
$vendor = 'nextcloud';

(PostgreSQL) 12.14 (Ubuntu 12.14-0ubuntu0.20.04.1)

How I fix the loop:
alias FIX_LOOP='cd /var/www/nextcloud && sudo -u www-data php ./occ maintenance:repair'
and then wait 30 minutes for the rate limiting to cool down.

iOS is the latest 16.04 (20E247)

here is an excerpt from my logs when I tried to log in with my admin account:

Please answer to this if I should provide more info

[smart7324]

I gave it a try, but this didn't work for me. Same issue. It also happened to me on a clean new install. So we definitely need help here. At this time NC is completely unusable on Safari no matter what apple device...

[Yetangitu]

(moved from #33919)

This problem does not seem to have been solved in v26.0.0.11 - even though #35419 was merged - seeing how as I'm currently unable to login using Firefox/Android on a device which had a single tab open yesterday. Deleting site data does not change this, nor does running occ maintenance:repair.

I can login using a different browser but not with Firefox, all I get is an empty page showing the site logo and the footer - there is no error message but no login/password request either.

This does not work:

• deleting all site data and cookies for the domain
• force-stopping and restarting Firefox/Android
• rebooting the device
• trying different network connections - wifi, 4G, VPN
• deleting browsing history for the affected domain
• using another open session to delete all sessions for the affected device (in Settings->Security->Devices & Sessions)
• updating Firefox/Android (to 111.0)
• running occ maintenance:repair
• burning black candles in a fairy ring in the forest while chanting obscure incantations (well, did not try but I don't think it would work)

This does work:

• using a different browser
• using private mode in Firefox

The error message in the log is the one which has been shown countless times already: Tried to log in "username" but could not verify token:

{"reqId":"aupvuif3Msicz86FxhbY","level":1,"time":"April 06, 2023 06:06:04","remoteAddr":"192.168.9.2","user":"--","app":"core","method":"GET","url":"/login","message":"Tried to log in frank but could not verify token","userAgent":"Mozilla/5.0 (Android 9; Mobile; rv:109.0) Gecko/112.0 Firefox/112.0","version":"26.0.0.11","data":{"app":"core"}}
{"reqId":"q8JEudtB0oT3gfNqLYye","level":1,"time":"April 06, 2023 06:06:04","remoteAddr":"192.168.9.2","user":"--","app":"core","method":"GET","url":"/apps/theming/image/background?v=27","message":"Tried to log in frank but could not verify token","userAgent":"Mozilla/5.0 (Android 9; Mobile; rv:109.0) Gecko/112.0 Firefox/112.0","version":"26.0.0.11","data":{"app":"core"}}

The really annoying thing is that I do not get a chance to login at all since the login/password request does not show up - only the site logo and the footer on an otherwise empty page.

[Yetangitu]

Another thing which does work:

1. enable USB debugging in Firefox/Android
2. connect it to another machine though USB
3. open the debugger on the Nextcloud tab
4. go to the Network section
5. make sure that 'Disable cache' is checked
6. reload the tab

This way I do get a login/password request. It seems that Firefox' Clear cookies and site data is not enough to actually clear everything related to the page.

[TheCrimsonLady]

Update: This now happens multiple times per day, which is a lot worse than it was before updating to NC 26

[smart7324]

This is really a serious issue. Right now, I can't use NC with Safari... I am getting logged out every page refresh, so it's completely unusable. Are there any updates? :)

[mafjensengithub]

Some of the new issues could be related to a safari bug: https://bugs.webkit.org/show_bug.cgi?id=255524

[TheCrimsonLady]

Maybe iOS 17 brings a change or the root cause is found somewhere else, either way I hope this will soon be solved because sometimes I can’t log into my NC for days

[smart7324]

Seems to be fixed for me with iOS 16.5 and macOS 13.4.

[TheCrimsonLady]

Updated a few days ago and for me it seems to be just as bad as before. Haven’t replied earlier because I wanted to gather some data.

[smart7324]

I'm no longer experiencing any issues, also on NC 27.0.0. We can close here.

[TheCrimsonLady]

I updated ~12h ago and just had this issue reappear. Setup is NC in a Ubuntu 20.04 LXC run on Proxmox 7.4-3.

Kernel: 5.15.107-2-pve
Ubuntu: Ubuntu 20.04.6 LTS
PHP: PHP 8.1.17 (cli) (built: Mar 16 2023 14:38:17) (NTS) Copyright (c) The PHP Group Zend Engine v4.1.17, Copyright (c) Zend Technologies with Zend OPcache v8.1.17, Copyright (c), by Zend Technologies
Apache Server version: Apache/2.4.41 (Ubuntu)
NC version: 27.0.0.8

Reverse Proxy: Nginx-Proxy-Manager
RP version: 2.10.3

Client: iOS 16.5 - Safari

Did you do anything else than simply updating NC to fix this? It is getting more and more frustrating to use NC since I can't access it ~50% of the time I need to

[smart7324]

Okay hm, I also didn’t experience the bug on NC 26 since iOS 16.5… I did not change anything, but it’s just working.

So I reopen this issue for you.

[TheCrimsonLady]

Thanks a lot

that’s weird… Do you think my or any reverse proxy could be an issue since my TLS connection is terminated there?
I can’t really think of anything else that could cause this in my setup

[smart7324]

Honestly I don't think so, as I also had this issue and don't have a reverse proxy. I also did some debugging, but I haven't found anything...
Is it working with other browsers for you?

[TheCrimsonLady]

I rarely use other devices to access my NC, but I had a few situations where this error occurred with my employer provided laptop.
On my Debian laptop with Firefox, I had a kinda similar error where i was kinda logged in, but was repeatedly kicked out of NC with the error message in the browser „you are not logged in“. Even when I logged out and back in, this error would persist. I blamed a weird cookie issue and just let it be.

Another possibility that just came to mind: I’m basically always connected to my VPN server at home, which gives my phone, my Mac and NC the same public IP address. Could this be an issue?

(Just for clarification: the issue for me is almost exclusively in iOS, macOS only caused this error once since NC 24 plus the rare occurrences on windows or Linux with Firefox)

[smart7324]

Hm very interesting… Sorry, but I don’t know if your ip can be a source of the issue. Maybe someone else can help?

[TheCrimsonLady]

Yeah me neither, I’m just throwing guesses at the wall here to see what sticks haha

To anyone reading this: all suggestions are welcome

Btw, I played around on my work phone (also iPhone and safari) and was able to provoke the error relatively quickly with two open tabs and some reloads/NC-App switching
The error occurred but I was not logged out however, that also happens a lot

[MrRies]

Hi,
We have also been struggling with this problem for about two months. Even an update to version 27 has not brought any improvement. On the contrary, we have the feeling that the bug has increased significantly in recent weeks.
In the meantime, our power users can no longer use Nextcloud on certain days.

Even deleting the cookies only helps to a limited extent. After deleting them, they are simply set again and the problem is back.

Our Nextcloud is connected to a very large LDAP directory of our institution. We have about 70 active users (once a week) and about 20 power users (every day, several hours). We are thinking that a connection to the LDAP could be increasing the problem, but probably the trigger is somewhere else.

Access is via a reverse proxy (nginx). There, too, we have already changed some settings for header modification, but without any noticeable effect.
In addition, the token errors are occurring more and more frequently with reports of a brute force attack. For this reason, we have to deactivate the brute force detection in the meantime in order not to be locked out all the time. Apparently, Nextcloud counts every expired cookie as a failed login.

It is frustrating. The error pattern is so varied that it is difficult for us to identify the origin of the error.

[TheCrimsonLady]

Yes, that’s also my experience
And that’s on a very small instance with only me as a user.
what client devices do your users use? Maybe we have an overlap and can help narrow down the scope for the devs

[MrRies]

Yes, great idea.
We have tested our way through various browsers: Chrome, Edge, Firefox and Opera. The problem is the same everywhere. Most users use Windows machines.
However, the problem also occurs with our iOS, iPadOS and Android users. Also with Safari, Brave, Opera, Chrome...
We haven't had a chance to test it on MacOS yet.

Sometimes our users are even logged out of the Nextcloud apps (iOS+Android). Talk in particular (which we use a lot).

We initially thought there was a connection with the use of Nextcloud calendars via CardDAV or in connection with app passwords, which a handful of our users are using. However, we could not find any further evidence for this.

[TheCrimsonLady]

Sure, any time
just ping me when you have anything new, I'm happy to test stuff

[TheCrimsonLady]

Addendum: I just opened a new NC tab on my phone (closed the ones from earlier after testing the patch) and had to log in again

it’s not new behavior, but I had to enter my username and PW twice and then the 2FA code before it let me in

idk when exactly I was kicked out but when I find the section in the logs I’ll post a screenshot

[ChristophWurst]

Double login is a known issue and related to lost sessions

[ChristophWurst]

Could you please apply https://github.com/nextcloud/server/commit/02591953bc488aa424f058035ad39fa7b3beb723.patch as well? It's an amendment to #40628 so that it logs the request that wins the race for the token.

[TheCrimsonLady]

Will do when I’m home

[TheCrimsonLady]

All-Messages-search-result-part-1.csv
All-Messages-search-result-part-2.csv

I applied the patch and played around a bit (I redacted any tokens, IPs and domains).
Is this format helpful for you? Should I test specific scenarios or filter for certain keywords? Because right now this is basically the full log after the patch apply and reboot on debug level.

[ChristophWurst]

The format is fine. Thanks!

First:

2023-09-27T22:25:56.086+02:00;Nextcloud;Remember-me token TOKEN1/some_extras?/ for root replaced by TOKEN2

Later:

2023-09-27T22:28:02.133+02:00;Nextcloud;Tried to log in root but could not find token TOKEN3 in database
2023-09-27T22:28:02.133+02:00;Nextcloud;Tried to log in root but could not find token TOKEN3 in database
2023-09-27T22:28:02.133+02:00;Nextcloud;Tried to log in root but could not find token TOKEN3 in database
2023-09-27T22:28:02.133+02:00;Nextcloud;Tried to log in root but could not find token TOKEN3 in database

But then also

2023-09-27T22:28:02.133+02:00;Nextcloud;Remember-me token TOKEN3 for root replaced by TOKEN4

so token2 is never used. token3 appears out of nowhere.

Did you have more than one browser or devices connected? e.g. desktop+phone.

[TheCrimsonLady]

Ah yes, my bad

I was just focused on provoking the error and didn't think about multiple devices. I just recreated the situation with just one device but the overall situation seems to be the same:

What I did:
closed the NC app on my Mac and closed tabs on my work phone. Then after some minutes I opened Safari on my private phone, closed an inactive tab and opened a new one. Only when I opened the new tab, logs started appearing.
Once the new tab loaded, I logged in (twice, as noted yesterday) and you see the logs above.

Edit:
Due to the time stamps all reading the same, I just want to point out that the newest entry is on top and the oldest at the bottom

[ChristophWurst]

I have a new idea. What if the remember-me logic does its job but the concurrent requests cause the web session to be deleted from the database? that would also end a session. I'll prepare some more logging patches 😩

[ChristophWurst]

password reset is off-topic. look for existing tickets or create a new one if there is none. Attached the log entries as text please to make it searchable.

[TheCrimsonLady]

Thought this may be a related issue or a symptom of the same root cause
Sorry for the extra message, please ignore

[KenBW2]

I am experiencing frequent logouts, but I don't believe it's the same issue reported here, since I don't get the "Tried to login but couldn't verify token" error

In fact I don't get an error at all. I did open a new ticket nextcloud/all-in-one#3674 but that's been closed and directed here.

I've noticed that sometimes I get this issue where the header is logged in, and the content is logged out:

I just clicked the Files icon in the header in a new tab and I am still logged in

[KenBW2]

Today I was logged out and saw the login page without the header being logged in.

Opening a new tab didn't have me logged in again

[ChristophWurst]

We can't pinpoint it but #40879, #41318 or a related change must have helped with this problem because it now happens seldom. The theory is that we use session_regenerate_id less often, which is documented to be problematic at https://www.php.net/manual/en/function.session-regenerate-id.php

Warning: Currently, session_regenerate_id does not handle an unstable network well, e.g. Mobile and WiFi network. Therefore, you may experience a lost session by calling session_regenerate_id.

[cdauth]

Wanted to mention that I'm seeing exactly the symptoms described here, but in Chromium and only after waking up from standby. I always have a few Nextcloud tabs open in my browser, and I assume at least some of them are polling the server and keep me logged in. When my computer goes to standby and wakes up again, the different Nextcloud apps that are open show error notifications or misbehave in different ways, and when I reload the page I get forwarded to the login page. The log shows a Tried to log in but could not verify token error for every resource that the browser tried to load.

On the login page I have to log in twice. After the first attempt, the login page simply shows up again without any error. The second attempt works properly. It does not make a difference whether I type the right password on the first attempt. Reloading the login page does not count as an attempt. After the first attempt, I see IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 200, ip: ...] on the log and Bruteforce attempt from \"...\" detected for action \"login\".

[TheCrimsonLady]

What NC version are you on which and reverse proxy are you using with what settings?
I’m asking because with the latest version, the issue is way less frequent, but not fully gone.

Also, in the past few days after updating, I’ve had a basic http login pop up sometimes while on mobile when I’m opening a new NC tab. I wanted to investigate further before I comment again here, so if anyone else has this problem, maybe we could crowd source how to reliably reproduce this

[cdauth]

I'm running the stable docker image, which seem to be version 27.1.4. If there have been any relevant changes recently, I could also upgrade to latest.

I'm running the docker image with APACHE_DISABLE_REWRITE_IP=1 (to let Nextcloud rather than Apache handle the proxy headers). In my Nextcloud config I have

  'trusted_proxies' =>
  array (
    0 => '127.0.0.0/8',
    1 => '172.16.0.0/12',
    2 => '192.168.0.0/16',
    3 => '10.0.0.0/8',
    4 => 'fc00::/7',
  ),

Requests are coming in from a traefik reverse proxy running on 10.10.2.1.

Also, I have 'session_lifetime' => 1209600, configured, but the issue happens reproducibly every time my laptop was in standby for a few hours.

[joshtrichards]

Every one on this thread that thinks they're experiencing this issue:

• Please make sure your proxy is not configured to do any caching (e.g. NPM's Cache Assets must be disabled - it's not appropriate for use with Nextcloud Server, if you are using your own proxy configuration please review how you've configured caching in the proxy itself)

This variable (which is an invalid configuration) needs to be eliminated first so that only the logs/symptoms/code paths of any underlying bug(s) are visible.

[cdauth]

For my case, I'm pretty sure that traefik doesn't do any caching. (I'm not sure what you mean by NPM's Cache Assets.)

[GNU-Plus-Windows-User]

I'm not sure if this is relevant or the best place to post, but I'm posting this here since this is the best thread I can find on the issue. I used to see this exact error in my log on occasion(While also being logged out), but now I do not see it anymore, and my issue has gotten worse (being logged out multiple times a day) ever since upgrading to 28.0.5. I also used to have to log in twice when I was logged out with a "Temporary error please try again" but now I sometimes won't even see that error.

I originally thought it may have to do with having Nextcloud Mail(Since I had this happen multiple times with mail open), but it doesn't always happen with Nextcloud Mail so I think it's just a coincidence.

I get errors like these in my logs, but an error isn't always logged when I get logged out.

Exception
HMAC does not match.
Could not decrypt or decode encrypted session data

I've been also getting these new errors since very recently:

InvalidTokenException
Token does not exist: redacted
Renewing session token failed: Token does not exist: redacted

This issue doesn't happen with the desktop client or mobile client, only with browsers. I've encountered this issue on both Brave and Graphene OS's Vanadium, but I haven't tested other browsers so I'm not sure if it's all browsers or just specific browsers.

[yan12125]

I have been affected the "could not verify token" error for at least months, and such errors seem more common recently. Those errors happen with Firefox on either Arch Linux or Windows.

I tried the latest patch from #40628 (https://github.com/nextcloud/server/commit/908c381018ba95ee1c13d11d35414db3248782d8.patch) with Nextcloud 28.0.4, and got two errors:

Tried to log in yen but ran into concurrent session revival

OC\\Http\\CookieHelper::setCookie(): Argument #2 ($value) must be of type string, null given, called in /usr/share/webapps/nextcloud/lib/private/User/Session.php on line 1062

The second error is from:

server/lib/private/User/Session.php

Lines 1062 to 1071 in 908c381

	\OC\Http\CookieHelper::setCookie(
	'nc_token',
	$token,
	$maxAge,
	$webRoot,
	'',
	$secureCookie,
	true,
	\OC\Http\CookieHelper::SAMESITE_LAX
	);

which is understandable as $token is null due to the first error.

As a record, I use nginx and I believe cache is disabled with the following configuration: (from NginxProxyManager/nginx-proxy-manager#389 (comment))

      proxy_no_cache 1;
      proxy_cache_bypass 1;
      proxy_cache off;

[yan12125]

Got a different error message (redacted)

Tried to log in xxx but could not find token yyy in database

In the database, the token yyy is indeed missing. I got no results with:

select * from nextcloud.oc_preferences where appid = 'login_token' and configKey = 'yyy';

[yan12125]

I have a new idea. What if the remember-me logic does its job but the concurrent requests cause the web session to be deleted from the database? that would also end a session. I'll prepare some more logging patches 😩

Concurrent requests may not be the (only) issue. I still get the following error after disabling HTTP/2 altogether. I assume there are no concurrent requests with HTTP/1.1.

Tried to log in <redacted> but could not find token  in database