You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
primary SELECT * FROM `oc_appconfig`
replica SELECT * FROM `oc_authtoken` WHERE (`token` = :dcValue1) AND (`version` = :dcValue2)
replica SELECT * FROM `oc_authtoken` WHERE (`token` = :dcValue1) AND (`version` = :dcValue2)
for every anonymous request.
The problem is that \OC\User\Session::tryTokenLogin tries to find a token for the current PHP session. \OC\Authentication\Token\PublicKeyTokenProvider::getToken does up to two lookups when the instance has an instance secret set. There will never be a hit. The only exception would be a hash collision of the new session ID and a previous one.
The solution would be to check if the request had sent a cookie with the instance id as name. Those are used for the PHP session. If there is no cookie, this is a new session, and there won't be a token.
Steps to reproduce
curl https://localhost/login
Expected behavior
primary SELECT * FROM `oc_appconfig`
Installation method
None
Nextcloud Server version
26
Operating system
None
PHP engine version
None
Web server
None
Database engine version
None
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
Default user-backend (database)
LDAP/ Active Directory
SSO - SAML
Other
Configuration report
No response
List of activated Apps
No response
Nextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response
The text was updated successfully, but these errors were encountered:
// Check if the request had sent a cookie with the instance id as name
// If there is no cookie, this is a new session
$instanceId = \OC::$server->getConfig()->getSystemValueString('instanceid');
if (!is_null($request->getCookie($instanceId))) {
try {
$dbToken = $this->tokenProvider->getToken($token);
} catch (InvalidTokenException $e) {
// Can't really happen but better save than sorry
return true;
}
}
Bug description
Reading query logs I noticed
for every anonymous request.
The problem is that
\OC\User\Session::tryTokenLogin
tries to find a token for the current PHP session.\OC\Authentication\Token\PublicKeyTokenProvider::getToken
does up to two lookups when the instance has an instance secret set. There will never be a hit. The only exception would be a hash collision of the new session ID and a previous one.The solution would be to check if the request had sent a cookie with the instance id as name. Those are used for the PHP session. If there is no cookie, this is a new session, and there won't be a token.
Steps to reproduce
curl https://localhost/login
Expected behavior
Installation method
None
Nextcloud Server version
26
Operating system
None
PHP engine version
None
Web server
None
Database engine version
None
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
Configuration report
No response
List of activated Apps
No response
Nextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response
The text was updated successfully, but these errors were encountered: