Logging out from Nextcloud deletes all cookies from sibling subdomains #9010
Comments
|
There has been a roundcube app for owncloud/Nextcloud, not sure if it still exists, but in case you have such a plugin which could make use of the webmail cookies, that would be important to know. How do you know that it is not a browser bug? |
|
No, there is no Roundcube app installed. We have only some of the official Nextcloud Apps (Calendar, Notes, etc., so no special, custom or unsupported addons). Our Roundcube is a completely independent instance. Whether it is a browser bug or not, I don't know, hence this bug report. However there are some facts:
Could it be possible, that Nextcloud's Thank you. |
|
Hi, |
|
@rcdevs, I believe your question is not related to my issue. My bug report is about Nextcloud deleting other, unrelated web page cookies that reside on different subdomains of the same main domain. And it happens only in Chrome/Chromium. |
|
Yes you're right, it should not delete subdomain's cookies... For now, waiting for a good answer, the only way to avoid this behavior is to comments //$response->addHeader('Clear-Site-Data', '"cache", "cookies", "storage", "executionContexts"'); or delete ["cookies",] on line 123 in public function logout() in file core/Controller/LoginController.php |
|
Can confirm this also happens when not using subdomains. If Nextcloud is at domain.com/nextcloud, and horde is at domain.com/horde, logging out of Nextcloud results in being logged out of horde as well. This happens when using Chrome, but not Firefox. |
|
I can confirm this issue still exists on Nextcloud 13.0.4. Logging out from Nextcloud on subdomain cloud.example.com, deletes the cookies from other subdomains (mail.example.com, rss.example.com, blog.example.com), too... |
|
Yeah, I can confirm this one too. |
|
Has somebody tested it with 14.0.0? |
The |
|
I just tried with NC 14 and chrome. If the roundcube user and the NC user have different user names, the session will not expire. It is just when both user id's are the same. |
|
@tflidd yes, that is right. In our setup the user IDs are the same (NextCloud uses external authentication through IMAP). So, the issue still persists. |
That's because the bug is in Nextcloud, not in Roundcube. Horde behaves the same way--if I log out of Nextcloud, I'm also logged out of Horde. |
yes, I just wanted to verify that it is not a new default behavior in Chrome. |
|
I think I'm getting the same problem. The usernames are different and it is a custom application in the web server root (with Nextcloud in a subdomain) and logging out of Nextcloud clears all the session cookies for the custom application. |
|
I have the same problem on 14.0.3. |
14.0.3 is already released. I believe it will be backported to 14.0.4 (#12005) |
|
Correct 👍 |
Scenario
Nextcloud 13.0.1 installed on
cloud.example.comsubdomain with HTTPSRoundcube 1.3.4 installed on
mail.example.comsubdomain with HTTPSSo both have their individual subdomain under our own domain (replaced with
example.comhere in bug report).Steps to reproduce
Expected behaviour
Nextcloud will be logged out. Roundcube will still be logged in and usable.
Actual behaviour
Nextcloud will be logged out. Roundcube session will be expired and user logged out. This is the actual issue.
More info
Server configuration
Operating system: CentOS 7 (Virtualmin is used)
Web server: Stock Apache
Database: Stock MySQL
PHP version: Stock version
Nextcloud version: 13.0.1
Updated from an older Nextcloud/ownCloud or fresh install: updated from latest 12.0.x
Signing status:
Signing status
Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: IMAP
Client configuration
Browser: Chromium 64, Chrome 65
Operating system: Linux, Windows
Logs
Browser log
Browser log when logging out (domain replaced with
example.com)The text was updated successfully, but these errors were encountered: