New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log in: Automatic log in rejected #854
Comments
This warning appears if a "remember me" cookie isn't valid (anymore), this usually happens if a user change his password as this will invalidate all tokens. I agree in the point that this warning sounds too aggressive, we should probably change it:
/cc @karlitschek |
Sounds reasonable. @jancborchardt What do you think? |
@jancborchardt What do you think? |
I’d say just not have a »warning« there at all because the technobabble won’t be read, let alone understood by most people anyway. It just makes it seem like ownCloud is unsafe. On a related note, seeing the log in screen or needing to authenticate again is super annoying and it should be minimized as much as possible. |
So @LukasReschke @jancborchardt We have to conflicting suggestions from you both. What do we do? ;-) |
@karlitschek it’s not yet conflicting because @LukasReschke didn’t make a statement to my suggestion yet. ;) The question is if you think it’s better to show a warning or notice at all. I’d say we shouldn’t, because the exact nature of why you’re seeing the login screen again isn’t super interesting. Like with Gmail, sometimes I need to put in my password again and I just assume it’s because of »security reasons«. |
Ok, @jancborchardt convinced me. Let's remove the warning for the user, but the warning in the log should stay there nevertheless for admins. \cc @karlitschek |
Ok. @karlitschek do you also think that’s a good solution? If so, can you update your pull request #917? |
yep. Will do this later |
@jancborchardt @DeepDiver1975 @LukasReschke please review |
What was the exact outcome of this issue? What other circumstances apart from changing the password will make this warninig appear? Is logging in from more than one machine / network maybe causing that problem? |
@LukasReschke you closed the issue – I assumed you removed the warning (and also fixed the log in screen being shown so often). ;) |
I've been wanting to file an issue about this as well. When I get that warning, the only way to log in again is to delete all oc_* cookies which I doubt it the proper procedure ;) |
I get this message when ever a user clicks the remember check box and then closes the browser and comes back. Is this happening to anyone else? |
Hm, for me, simple "manual" login works to get me in again.
No, for me it sometimes (e.g. from yesterday to today) even kept me logged in with machine turned off and on again... |
After upgrade to git master, I get this error (warning) as well and I'm unable to log in. I'd like to try to delete the oc_* cookies, but don't know how to do that. |
I'll take a look at this at the end of the week. Seems like there are some problems with it :-( |
Is there a workaround available, that would enable me to log in to my owncloud instance? I'm not able to log in for a week now. |
Delete your cookies. Working on a solution asap. |
I am also having the login problem with the desktop sync client on OSX. |
@LukasReschke any update on this? Please just never show this info to users, or have the need to remove cookies. It’s not acceptable to ask any user to do this. |
@jancborchardt 1/4 of this comments here are not related and none of those comments here adds any useful informations. This should never happen, so if I get not a proper way to reproduce this I can't fix this properly. |
All: Please file a new issue following the issue template, this is just bloated here and hijacked with other issues. |
@LukasReschke fact is, some of this security code causes people to be locked out of their ownCloud. Please fix this, and this is the issue to keep track of this. Don’t close this issue just like that when people are still having this problem. I just had it an hour ago. Here’s a log:
Hope that helps. |
@LukasReschke yeah, sorry, can you actually let @tanghus and me know the branch/commit we should test again? Vacation let me forget some things. ;) Also, how can we invoke the test case? |
Please everyone test pull request #3985 which hopefully fixes this issue. |
apply @LukasReschke's cookie changes, hopefully finally fix #854
This is still not fixed. |
This still happens, even with stable5. Come on folks, this is really a bit ridiculous. It’s a »security feature« which tries to prevent some theoretic attack and results in people being locked out from their ownCloud unless they know they need to remove their cookies – and how to do that. cc @karlitschek @DeepDiver1975 @butonic @bantu @ringmaster we need a solution here. |
My 2 cents: I just have to relogin (no need for cookie deletion). |
@jancborchardt I agree. I often experience this during development. It's very annoying. |
This still exists with the stable ownCloud 5. |
@bantu @jancborchardt can you help with any extra info about your setups? Also if you have a really short session time (minutes or less) configured I can think of some scenarios that could trigger the issue. I would add some extra time after the cookie should expire before deleting the old tokens in |
@frisco82 Development on localhost. Switching from master to branches, to stable5 and back and forth all the time. Nuking the configuration files every now and then, reinstalling every now and then. |
Umm #3985 wasn't backported to OC5, so that could trigger the issue if you logout in OC5, change to OC6 and continue working without closing the browser/deleting the session files. |
should be fixed. If not than please open a new issue. |
I just got this with OC 6.0.3, although all I had to do was enter my login details again and all was good. I didn't need to delete cookies or anything. The message still appears though. |
I also got this with OC 6.0.3 (upgraded from 6.0.2) |
Sometimes when going to my ownCloud I get this notice:
»Automatic logon rejected!
If you did not change your password recently, your account may be compromised!
Please change your password to secure your account again.«
@LukasReschke what is the cause of this notice appearing? It sounds really weird and makes ownCloud seem not secure.
The text was updated successfully, but these errors were encountered: