Server: Logging out from Nextcloud deletes all cookies from sibling subdomains
Scenario
Nextcloud 13.0.1 installed on cloud.example.com subdomain with HTTPS
Roundcube 1.3.4 installed on mail.example.com subdomain with HTTPS
So both have their individual subdomain under our own domain (replaced with example.com here in bug report).
Steps to reproduce
- Open Chromium/Chrome (tested with 63+)
- Log in to Roundcube (or any web page that uses session cookies, e.g. Redmine)
- In a new tab log in to Nextcloud
- Log out from Nextcloud
Expected behaviour
Nextcloud will be logged out. Roundcube will still be logged in and usable.
Actual behaviour
Nextcloud will be logged out. Roundcube session will be expired and user logged out. This is the actual issue.
More info
- It happens with Chrome/Chromium only, _Firefox_ works as expected.
- What happens exactly: logging out from Nextcloud deletes all cookies from sibling subdomains resulting in end of session for the other web applications.
Server configuration
Operating system: CentOS 7 (Virtualmin is used)
Web server: Stock Apache
Database: Stock MySQL
PHP version: Stock version
Nextcloud version: 13.0.1
Updated from an older Nextcloud/ownCloud or fresh install: updated from latest 12.0.x
Signing status:
Signing status
No errors have been found.
Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: IMAP
Client configuration
Browser: Chromium 64, Chrome 65
Operating system: Linux, Windows
Logs
Browser log
Browser log when logging out (domain replaced with
example.com)
cloud.example.com/:1 Clear-Site-Data header on 'https://cloud.example.com/logout?requesttoken=k9K/ULgi8Ht9z4vTCYyHLAFCRS3wWjWXSLvvkR0dipk%3D%3Aq6vSGtkQtDwUmv%2BjO%2BPFTVRydkqiIGDgZ%2B625CxFwq0%3D': The "cache" datatype is temporarily not supported.
cloud.example.com/:1 Clear-Site-Data header on 'https://cloud.example.com/logout?requesttoken=k9K/ULgi8Ht9z4vTCYyHLAFCRS3wWjWXSLvvkR0dipk%3D%3Aq6vSGtkQtDwUmv%2BjO%2BPFTVRydkqiIGDgZ%2B625CxFwq0%3D': Unrecognized type: "executionContexts".
cloud.example.com/:1 Clear-Site-Data header on 'https://cloud.example.com/logout?requesttoken=k9K/ULgi8Ht9z4vTCYyHLAFCRS3wWjWXSLvvkR0dipk%3D%3Aq6vSGtkQtDwUmv%2BjO%2BPFTVRydkqiIGDgZ%2B625CxFwq0%3D': Cleared data types: "cookies", "storage".
Navigated to https://cloud.example.com/login
core.js?v=cc8677c4-25:7 JQMIGRATE: Migrate is installed, version 1.4.0
DevTools failed to parse SourceMap: https://cloud.example.com/core/vendor/purify.min.js.map
bszente
All 19 comments
There has been a roundcube app for owncloud/Nextcloud, not sure if it still exists, but in case you have such a plugin which could make use of the webmail cookies, that would be important to know.
How do you know that it is not a browser bug?
tflidd
on 31 Mar 2018
No, there is no Roundcube app installed. We have only some of the official Nextcloud Apps (Calendar, Notes, etc., so no special, custom or unsupported addons). Our Roundcube is a _completely independent_ instance.
Whether it is a browser bug or not, I don't know, hence this bug report.
However there are some facts:
- We have also a Redmine instance, on
redmine.example.comsibling subdomain. Cookies are cleared on this domain as well. Redmine is not even PHP, but Ruby. So it seems all subdomains got cookies cleared in the moment of the Nextcloud logout. - Logging out from Roundcube and Redmine works as expected, does not influence sibling subdomains.
- It is only Nextcloud's logout, which clears sibling subdomains' cookies.
- Nextcloud uses
Clear-Site-Dataat logout, while Roundcube/Redmine does not.
Could it be possible, that Nextcloud's Clear-Site-Data implementation in context of Chromium/Chrome browser does not work as expected?
Thank you.
bszente
on 10 Apr 2018
@LukasReschke
tflidd
on 11 Apr 2018
Hi,
I also need to create a Cookie in my app, but every time user logout, all cookies are deleted, due to Clear-Site-Data implementation (https://www.w3.org/TR/clear-site-data/#grammardef-cookies). How to make persistant cookie? Thank you!
rcdevs
on 12 Apr 2018
@rcdevs, I believe your question is not related to my issue. My bug report is about Nextcloud deleting other, unrelated web page cookies that reside on different subdomains of the same main domain. And it happens only in Chrome/Chromium.
bszente
on 12 Apr 2018
Yes you're right, it should not delete subdomain's cookies... For now, waiting for a good answer, the only way to avoid this behavior is to comments //$response->addHeader('Clear-Site-Data', '"cache", "cookies", "storage", "executionContexts"'); or delete ["cookies",] on line 123 in public function logout() in file core/Controller/LoginController.php
rcdevs
on 12 Apr 2018
Can confirm this also happens when not using subdomains. If Nextcloud is at domain.com/nextcloud, and horde is at domain.com/horde, logging out of Nextcloud results in being logged out of horde as well. This happens when using Chrome, but not Firefox.
danb35
on 13 May 2018
I can confirm this issue still exists on Nextcloud 13.0.4. Logging out from Nextcloud on subdomain cloud.example.com, deletes the cookies from other subdomains (mail.example.com, rss.example.com, blog.example.com), too...
WolfgangWeber
on 11 Jul 2018
Yeah, I can confirm this one too.
arno1979
on 2 Aug 2018
Has somebody tested it with 14.0.0?
Ninjiner
on 10 Sep 2018
Has somebody tested it with 14.0.0?
The logout() function in core/Controller/LoginController.php is the same, so most likely the issue is still present. I did not test it though.
bszente
on 11 Sep 2018
I just tried with NC 14 and chrome. If the roundcube user and the NC user have different user names, the session will not expire. It is just when both user id's are the same.
However, I can logout from Roundcube without being logged out from Nextcloud!
tflidd
on 11 Sep 2018
@tflidd yes, that is right. In our setup the user IDs are the same (NextCloud uses external authentication through IMAP). So, the issue still persists.
bszente
on 11 Sep 2018
However, I can logout from Roundcube without being logged out from Nextcloud!
That's because the bug is in Nextcloud, not in Roundcube. Horde behaves the same way--if I log out of Nextcloud, I'm also logged out of Horde.
danb35
on 11 Sep 2018
That's because the bug is in Nextcloud, not in Roundcube. Horde behaves the same way--if I log out of Nextcloud, I'm also logged out of Horde.
yes, I just wanted to verify that it is not a new default behavior in Chrome.
tflidd
on 11 Sep 2018
I think I'm getting the same problem. The usernames are different and it is a custom application in the web server root (with Nextcloud in a subdomain) and logging out of Nextcloud clears all the session cookies for the custom application.
terrytibbles
on 2 Oct 2018
I have the same problem on 14.0.3.
bormolino
on 5 Nov 2018
I have the same problem on 14.0.3.
14.0.3 is already released. I believe it will be backported to 14.0.4 (https://github.com/nextcloud/server/pull/12005)
bszente
on 5 Nov 2018
Correct 馃憤
MorrisJobke
on 5 Nov 2018
Related issues
j-ed
路
3Comments
MariusBluem
路
3Comments
arno01
路
3Comments
mfechner
路
3Comments
georgehrke
路
3Comments
Most helpful comment
Yes you're right, it should not delete subdomain's cookies... For now, waiting for a good answer, the only way to avoid this behavior is to comments //$response->addHeader('Clear-Site-Data', '"cache", "cookies", "storage", "executionContexts"'); or delete ["cookies",] on line 123 in public function logout() in file core/Controller/LoginController.php