Skip to content

Remove login token mechanism #51479

New issue
New issue
Open
Enhancement
Open
Remove login token mechanism#51479
Enhancement
Labels
0. Needs triagePending check for reproducibility or if it fits our roadmapfeature: authenticationtechnical debt
@ChristophWurst

Description

@ChristophWurst
ChristophWurst
opened on Mar 14, 2025

How to use GitHub

  • Please use the 👍 reaction to show that you are interested into the same feature.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Is your feature request related to a problem? Please describe.

Before Nextcloud (or it's predecessor) tracked sessions and app passwords in the database, remember me login existed. Because session information is typically lost after 20minutes, there is a unique token stored as cookie and database value. The browser uses that cookie as proof that a previous session existed.

Since 2016 Nextcloud has auth tokens for web sessions and app passwords. When a PHP session expires, the session cookie sent could still be used to look up the authtoken table row, regardless of the vanished PHP session.
That means there are currently two mechanisms used in parallel.

Describe the solution you'd like

Drop the login token mechanism and fully rely on app tokens.

Describe alternatives you've considered

N/a

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    0. Needs triagePending check for reproducibility or if it fits our roadmapfeature: authenticationtechnical debt

    Type

    Enhancement

    Projects

    🧑‍🤝‍🧑 Community triage

    Status

    Triaged

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions