redirect loop after moving from folder with basic auth .htpasswd

[ghost]

I'm recently having an issue when opening up owncloud.
I do a request to http://mysite.com/owncloud,
the url changes to http://mysite.com/owncloud/index.php?redirect_url=%2Fowncloud%2Findex.php%2Fapps%2Ffiles
and I get an error page in my browser: This webpage has a redirect loop

everything is fine until i go into a with .htpaswwd protected subfolder of the root.
After authentication, when I browse from root/protected, to root/owncloud, the problem emerges.

I am running the latest OC (ownCloud 5.0.10 (up to date)), PHP 5.0.5 and apache.

On the forum has been mentioned this could be related to:
#4346

[Taomyn]

Not sure it for the same reason, but I am seeing the same thing a few days later after not using my browser. I have to kill the 3 OC cookies to be able to get back in.

[tanghus]

I think this will be fixed by #4578 explained in #4574

[ghost]

thanx for the info @tanghus

[Taomyn]

Fix #4578 was not enough to fix this for me (I made the change manually to base.php in my installation to test) - I also had change the the instanceid in config.php by prefixing it with "oc". I was getting continual warnings in the log that it could not be blank or numeric and it was the latter. I also think it fixed my inability to upload from any Android device, but that's been on and off flakey since the recent release so it might not have been this.

[mpettitt]

Have tried the fix in #4578 mentioned above, and made the change mentioned by @Taomyn to the instanceid, but I'm still getting a redirection loop. Have also cleared cookies for the domain, just in case something was interfering, and ensured that cookies from the domain are being accepted by my browser.

[karlitschek]

@stephanarts Do you have something special configured? Like force_https, overwrite_hosts in config.php or a rewrite rule in apache or .htaccess? Or do you use a reverse proxy or an unusual webserver?

[mpettitt]

In my case, it's a Debian 7 install, using the deb package from the opensuse package page. The server runs Apache 2, with owncloud set up in the /owncloud directory of my ssl configuration (Aliased to /var/www/owncloud), and no rules other than a standard allow from all. The only .htaccess file affecting it is the one that came with it, which hasn't been modified.

[stephane-martin]

Could you post your apache conf, especially rewrite rules? Those in
.htaccess too.

Do you use mod_php, mod fastcgi, mod fcgid ?...

Stephane
Le 1 sept. 2013 22:18, "Matthew Pettitt" notifications@github.com a
écrit :

In my case, it's a Debian 7 install, using the deb package from the
opensuse package page. The server runs Apache 2, with owncloud set up in
the /owncloud directory of my ssl configuration (Aliased to
/var/www/owncloud), and no rules other than a standard allow from all. The
only .htaccess file affecting it is the one that came with it, which hasn't
been modified.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/4556#issuecomment-23632266
.

[mpettitt]

Sure. It's a Debian 7 install, with the standard Apache2 (using mpm-prefork) and php5 (using libapache2-mod-php) packages. Enabled modules for apache are: alias, auth_basic, authn_file, authz_default, authz_groupfile, authz_host, autoindex, cgi, deflate, dir, env, mime, negotiation, php5, proxy, reqtimeout, setenvif, ssl, status and unique_id - all enabled by default by the install.

Apache config (this is from /etc/apache2/sites-enabled/default-ssl):

<VirtualHost *:443>
        DirectoryIndex index.php
        DocumentRoot /usr/share/d-push/
        Alias /Microsoft-Server-ActiveSync /usr/share/d-push/index.php
        <Directory />
                AllowOverride All
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        php_flag magic_quotes_gpc off
        php_flag register_globals off
        php_flag magic_quotes_runtime off
        php_flag short_open_tag on

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
        SSLCertificateChainFile /etc/apache2/ssl/chain.crt
        SSLCACertificateFile /etc/apache2/ssl/ca.crt

        Alias /owncloud /var/www/owncloud
        <Directory /var/www/owncloud>
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>

And /var/www/owncloud/.htaccess - should be as supplied by the package, as I've not touched it

<IfModule mod_fcgid.c>
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
</IfModule>
</IfModule>
ErrorDocument 403 /core/templates/403.php
ErrorDocument 404 /core/templates/404.php
<IfModule mod_php5.c>
php_value upload_max_filesize 513M
php_value post_max_size 513M
php_value memory_limit 512M
<IfModule env_module>
  SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^.well-known/host-meta.json /public.php?service=host-meta-json [QSA$
RewriteRule ^.well-known/carddav /remote.php/carddav/ [R]
RewriteRule ^.well-known/caldav /remote.php/caldav/ [R]
RewriteRule ^apps/calendar/caldav.php remote.php/caldav/ [QSA,L]
RewriteRule ^apps/contacts/carddav.php remote.php/carddav/ [QSA,L]
RewriteRule ^apps/([^/]*)/(.*\.(css|php))$ index.php?app=$1&getfile=$2 [QSA,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
</IfModule>
<IfModule mod_mime.c>
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
</IfModule>
<IfModule dir_module>
DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes

[stephane-martin]

The only strange things i see here :

• php_flag short_open_tag on
• mod_negociation

But i dont think that's the problem.

I see nowhere in your conf the basic auth stuff. Do you have some like its said in the topic, or do you just have classical owncloud auth ?

[mpettitt]

Whatever the default for the deb package is. I wouldn't have the short open tags on, but the other software on there needs it - they've not removed them all, annoyingly.

[ghost]

I wish to say I have the same problem. How can I help to resolve it ? Owncloud 5.0.11, Apache2 mpm last version, ubuntu 13.04 fully updated.

EDIT : It seems to be the cookie that stores basic authentification. I deactivated authentification on /owncloud and it works fine. But if I authentify myself ( say to access /secure ), then it doesn't work anymore.

Don't know if it helps.

[mpettitt]

I got the same problem when I tried moving to nginx and using a subdirectory, so it's not Apache specific. Works fine if I use a sub-domain instead though, but obviously that's not an option for everyone.

[ghost]

Hi,

did a fresh install of OC 5.0.12 yesterday and have noticed the same problem when using the basic auth of the xcache admin webinterface on the same webserver / domain running NginX 1.2.x with PHP 5.4.x.

When the username of the OC user is equal to the xcache admin everything is fine, however using another username in OC starts this redirect loop.

[xsergiolpx]

Hi,

I would like to update this issue. I have a Debian 7 server with apache2, I created a subfolder in the owncloud (5.0.13) directory which contained a .htpasswd (/owncloud/subfolder/.htpasswd). The .htpasswd asked for an user (pedro) and a password contained in an other directory.

After testing it a little bit i removed the whole /owncloud/subfolder. Then I started getting this redirect loops. So I deleted the whole /owncloud, and installed a fresh owncloud 6.0.0a. In the set up, I created an user called juan.

Now the problem is that right after I try to login I get redirected back to the login page but with the link:
https://WEB/index.php?redirectUrl=%2Findex.php%2Fapps%2Ffiles

So I cannot acces my files from the web. What it is important is the /owncloud/data/owncloud.og:
{"app":"core","message":"Session user-id (juan) doesn't match SERVERPHP_AUTH_USER.","level":2,"time":"2013-12-16T00:07:18+00:00"}

So therefore even I deleted my initial .htpasswd and made a new fresh install there is something remaining makin a conflict with owncloud.

I have to say also that I do can access without SSL. So does anyone knows where the conflict is?

[LukasReschke]

I think this should be fixed nowadays. - Please reopen a new issue if this issue still exists.

Thank you for reporting issues back!! :-)

[seppellepepp]

Now havin' this issue with a redirecting endless loop on a fresh OC8.1

[RobinMcCorkell]

@xenomjay

Please reopen a new issue if this issue still exists.