Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log in: Automatic log in rejected #854

Closed
jancborchardt opened this issue Dec 12, 2012 · 46 comments
Closed

Log in: Automatic log in rejected #854

jancborchardt opened this issue Dec 12, 2012 · 46 comments

Comments

@jancborchardt
Copy link
Member

Sometimes when going to my ownCloud I get this notice:
»Automatic logon rejected!
If you did not change your password recently, your account may be compromised!
Please change your password to secure your account again.«

@LukasReschke what is the cause of this notice appearing? It sounds really weird and makes ownCloud seem not secure.

@LukasReschke
Copy link
Member

This warning appears if a "remember me" cookie isn't valid (anymore), this usually happens if a user change his password as this will invalidate all tokens.
(It will also trigger a log entry that a user tried to login with an invalid cookie, as it could be a potential attacker OC_Log::write('core', 'Authentication cookie rejected for user '.$_COOKIE['oc_username'], OC_Log::WARN);)

I agree in the point that this warning sounds too aggressive, we should probably change it:

  • To an other color than red... ;-)
  • The text to something like "Login cookie not found" - "Sorry, your login cookie seems to be invalid, please login again."

/cc @karlitschek

@karlitschek
Copy link
Contributor

Sounds reasonable. @jancborchardt What do you think?

@karlitschek
Copy link
Contributor

@jancborchardt What do you think?

@jancborchardt
Copy link
Member Author

I’d say just not have a »warning« there at all because the technobabble won’t be read, let alone understood by most people anyway. It just makes it seem like ownCloud is unsafe.

On a related note, seeing the log in screen or needing to authenticate again is super annoying and it should be minimized as much as possible.

@karlitschek
Copy link
Contributor

So @LukasReschke @jancborchardt We have to conflicting suggestions from you both. What do we do? ;-)

@jancborchardt
Copy link
Member Author

@karlitschek it’s not yet conflicting because @LukasReschke didn’t make a statement to my suggestion yet. ;)

The question is if you think it’s better to show a warning or notice at all. I’d say we shouldn’t, because the exact nature of why you’re seeing the login screen again isn’t super interesting. Like with Gmail, sometimes I need to put in my password again and I just assume it’s because of »security reasons«.

@LukasReschke
Copy link
Member

Ok, @jancborchardt convinced me.

Let's remove the warning for the user, but the warning in the log should stay there nevertheless for admins.

\cc @karlitschek

@jancborchardt
Copy link
Member Author

Ok. @karlitschek do you also think that’s a good solution? If so, can you update your pull request #917?

@karlitschek
Copy link
Contributor

yep. Will do this later

@karlitschek
Copy link
Contributor

@jancborchardt @DeepDiver1975 @LukasReschke please review

@RandolfCarter
Copy link
Contributor

This warning appears if a "remember me" cookie isn't valid (anymore), this usually happens if a user change his password as this will invalidate all tokens.

What was the exact outcome of this issue?
I see the warning frequently after upgrading to 5.0.4, at the moment it seems to appear every time I start the browser on my desktop machine after having restarted my PC (I updated to 5.0.4 two days ago, haven't changed my password since, but have seen the warning twice). Using Firefox 20.0.

What other circumstances apart from changing the password will make this warninig appear? Is logging in from more than one machine / network maybe causing that problem?
Maybe this is related to #917 (comment)?

@jancborchardt
Copy link
Member Author

@LukasReschke you closed the issue – I assumed you removed the warning (and also fixed the log in screen being shown so often). ;)

@jancborchardt jancborchardt reopened this Apr 14, 2013
@tanghus
Copy link
Contributor

tanghus commented Apr 14, 2013

I've been wanting to file an issue about this as well. When I get that warning, the only way to log in again is to delete all oc_* cookies which I doubt it the proper procedure ;)

@MelonSmasher
Copy link

I get this message when ever a user clicks the remember check box and then closes the browser and comes back. Is this happening to anyone else?

@RandolfCarter
Copy link
Contributor

When I get that warning, the only way to log in again is to delete all oc_* cookies which I doubt it the proper procedure ;)

Hm, for me, simple "manual" login works to get me in again.

I get this message when ever a user clicks the remember check box and then closes the browser and comes back. Is this happening to anyone else?

No, for me it sometimes (e.g. from yesterday to today) even kept me logged in with machine turned off and on again...

@mehturt
Copy link

mehturt commented Apr 23, 2013

After upgrade to git master, I get this error (warning) as well and I'm unable to log in. I'd like to try to delete the oc_* cookies, but don't know how to do that.

@LukasReschke
Copy link
Member

I'll take a look at this at the end of the week. Seems like there are some problems with it :-(

@mehturt
Copy link

mehturt commented Apr 29, 2013

Is there a workaround available, that would enable me to log in to my owncloud instance? I'm not able to log in for a week now.

@LukasReschke
Copy link
Member

Delete your cookies. Working on a solution asap.

@phil-hudson
Copy link

I am also having the login problem with the desktop sync client on OSX.

@jancborchardt
Copy link
Member Author

@LukasReschke any update on this? Please just never show this info to users, or have the need to remove cookies. It’s not acceptable to ask any user to do this.

@LukasReschke
Copy link
Member

@jancborchardt 1/4 of this comments here are not related and none of those comments here adds any useful informations.

This should never happen, so if I get not a proper way to reproduce this I can't fix this properly.

@LukasReschke
Copy link
Member

All: Please file a new issue following the issue template, this is just bloated here and hijacked with other issues.
(e.g. the DAV login has nothing to do with the "remember login" thing)

@jancborchardt
Copy link
Member Author

@LukasReschke fact is, some of this security code causes people to be locked out of their ownCloud. Please fix this, and this is the issue to keep track of this. Don’t close this issue just like that when people are still having this problem. I just had it an hour ago. Here’s a log:

[Wed May 08 16:11:16 2013] [error] [client 127.0.0.1] PHP Fatal error:  Class 'OC\\Files\\Mount' not found in /home/user/owncloud/lib/files/cache/backgroundwatcher.php on line 33, referer: http://localhost/owncloud/index.php/apps/contacts/
[Fri May 10 14:06:31 2013] [error] [client 127.0.0.1] PHP Warning:  Illegal string offset 'code' in /home/user/owncloud/settings/templates/personal.php on line 81, referer: http://localhost/owncloud/index.php/apps/files
[Fri May 10 14:06:31 2013] [error] [client 127.0.0.1] PHP Notice:  Uninitialized string offset: 0 in /home/user/owncloud/settings/templates/personal.php on line 81, referer: http://localhost/owncloud/index.php/apps/files
[Fri May 10 14:06:31 2013] [error] [client 127.0.0.1] PHP Warning:  Illegal string offset 'name' in /home/user/owncloud/settings/templates/personal.php on line 81, referer: http://localhost/owncloud/index.php/apps/files
[Fri May 10 14:06:31 2013] [error] [client 127.0.0.1] PHP Notice:  Uninitialized string offset: 0 in /home/user/owncloud/settings/templates/personal.php on line 81, referer: http://localhost/owncloud/index.php/apps/files
[Fri May 10 14:06:39 2013] [error] [client 127.0.0.1] PHP Fatal error:  Class 'OC\\Files\\Mount' not found in /home/user/owncloud/lib/files/cache/backgroundwatcher.php on line 33, referer: http://localhost/owncloud/index.php/settings/personal
[Fri May 10 14:20:34 2013] [error] [client 127.0.0.1] PHP Warning:  Illegal string offset 'code' in /home/user/owncloud/settings/templates/personal.php on line 81, referer: http://localhost/owncloud/index.php/apps/files
[Fri May 10 14:20:34 2013] [error] [client 127.0.0.1] PHP Notice:  Uninitialized string offset: 0 in /home/user/owncloud/settings/templates/personal.php on line 81, referer: http://localhost/owncloud/index.php/apps/files
[Fri May 10 14:20:34 2013] [error] [client 127.0.0.1] PHP Warning:  Illegal string offset 'name' in /home/user/owncloud/settings/templates/personal.php on line 81, referer: http://localhost/owncloud/index.php/apps/files
[Fri May 10 14:20:34 2013] [error] [client 127.0.0.1] PHP Notice:  Uninitialized string offset: 0 in /home/user/owncloud/settings/templates/personal.php on line 81, referer: http://localhost/owncloud/index.php/apps/files
[Fri May 10 15:56:36 2013] [error] [client 127.0.0.1] PHP Fatal error:  Class 'OC\\Files\\Mount' not found in /home/user/owncloud/lib/files/cache/backgroundwatcher.php on line 33, referer: http://localhost/owncloud/index.php/settings/personal
[Fri May 10 15:58:14 2013] [error] [client 127.0.0.1] PHP Warning:  Illegal string offset 'code' in /home/user/owncloud/settings/templates/personal.php on line 81, referer: http://localhost/owncloud/index.php/apps/files
[Fri May 10 15:58:14 2013] [error] [client 127.0.0.1] PHP Notice:  Uninitialized string offset: 0 in /home/user/owncloud/settings/templates/personal.php on line 81, referer: http://localhost/owncloud/index.php/apps/files
[Fri May 10 15:58:14 2013] [error] [client 127.0.0.1] PHP Warning:  Illegal string offset 'name' in /home/user/owncloud/settings/templates/personal.php on line 81, referer: http://localhost/owncloud/index.php/apps/files
[Fri May 10 15:58:14 2013] [error] [client 127.0.0.1] PHP Notice:  Uninitialized string offset: 0 in /home/user/owncloud/settings/templates/personal.php on line 81, referer: http://localhost/owncloud/index.php/apps/files

Hope that helps.

@jancborchardt
Copy link
Member Author

@LukasReschke yeah, sorry, can you actually let @tanghus and me know the branch/commit we should test again? Vacation let me forget some things. ;) Also, how can we invoke the test case?

@jancborchardt
Copy link
Member Author

Please everyone test pull request #3985 which hopefully fixes this issue.

MorrisJobke added a commit that referenced this issue Jul 10, 2013
apply @LukasReschke's cookie changes, hopefully finally fix #854
@jancborchardt
Copy link
Member Author

This is still not fixed.

@jancborchardt jancborchardt reopened this Aug 14, 2013
@jancborchardt
Copy link
Member Author

This still happens, even with stable5. Come on folks, this is really a bit ridiculous. It’s a »security feature« which tries to prevent some theoretic attack and results in people being locked out from their ownCloud unless they know they need to remove their cookies – and how to do that.

cc @karlitschek @DeepDiver1975 @butonic @bantu @ringmaster we need a solution here.

@MorrisJobke
Copy link
Contributor

My 2 cents: I just have to relogin (no need for cookie deletion).

@bantu
Copy link

bantu commented Sep 22, 2013

@jancborchardt I agree. I often experience this during development. It's very annoying.

@rhamietron
Copy link

This still exists with the stable ownCloud 5.
I was locked out of the cloud even despite clearing the cookies and deleting browsing history from Chrome.
My only alternative was to use another browser, IE in this case.

@friscoMad
Copy link
Contributor

@bantu @jancborchardt can you help with any extra info about your setups?
I can only think of 2 issues with the current system, connection problems (cell phones for example) where the login request is done a new token generated but the response is not received so the browser and the server are out of sync in token regards.
The second idea would be that the unique token could not be that unique and two different browsers could get the same one so after one if those are used the other is out of sync (in this case if you have openssl extension or unix machine could matter).

Also if you have a really short session time (minutes or less) configured I can think of some scenarios that could trigger the issue.

I would add some extra time after the cookie should expire before deleting the old tokens in cleanupLoginTokens or move cleanupLoginTokens after the getKeys in tryRememberLogin() to enable using tokens expired but not already used, but both changes will only help when the browser is sending the cookie when the server does not expect it to be setted but in your cases it seems that the faulty cookie seems to have a expiration date some time in the future as you need to reset it manually.

@bantu
Copy link

bantu commented Oct 28, 2013

@frisco82 Development on localhost. Switching from master to branches, to stable5 and back and forth all the time. Nuking the configuration files every now and then, reinstalling every now and then.

@friscoMad
Copy link
Contributor

Umm #3985 wasn't backported to OC5, so that could trigger the issue if you logout in OC5, change to OC6 and continue working without closing the browser/deleting the session files.

@karlitschek
Copy link
Contributor

should be fixed. If not than please open a new issue.

@Bugsbane
Copy link

Bugsbane commented Jun 1, 2014

I just got this with OC 6.0.3, although all I had to do was enter my login details again and all was good. I didn't need to delete cookies or anything. The message still appears though.

@mflu
Copy link

mflu commented Jun 17, 2014

I also got this with OC 6.0.3 (upgraded from 6.0.2)

@lock lock bot locked as resolved and limited conversation to collaborators Aug 16, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests