Server: The session is not closed after the web browser is closed, the user remains logged in

GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/3657 (Cannot log in to web console after install), https://github.com/nextcloud/server/issues/2081 (Custom session variable disappear after several days but user still logged in), https://github.com/nextcloud/server/issues/2967 (User cannot log in the web interface), https://github.com/nextcloud/server/issues/2927 (add the possibility to close a user account from the web interface), and https://github.com/nextcloud/server/issues/10711 (Upload Problem on Web Browsers).

If by »session close« you mean »log out«, then this is intentional. Web services don’t log people out unless specifically "Log out" was used. Otherwise people have to log in every time they start up their computer, or close the browser (accidentally or not) and this is annoying.

cc @rullzer @MorrisJobke

In NC13, the behavior was such that when the browser was closed, the user log out.

Then how to understand these settings:

'remember_login_cookie_lifetime' => 606024*15,
Lifetime of the remember login cookie, which is set when the user clicks the remember checkbox on the login screen.

Defaults to 606024*15 seconds (15 days)

'session_lifetime' => 60 * 60 * 24,
The lifetime of a session after inactivity.

Defaults to 606024 seconds (24 hours)

'session_keepalive' => true,
Enable or disable session keep-alive when a user is logged in to the Web UI.

Enabling this sends a “heartbeat” to the server to keep it from timing out.

And where did the "remember checkbox"?

And where did the "remember checkbox"?

We removed it because people will always be remembered. Until you use the "Log out" function. Much simpler.

In NC13, the behavior was such that when the browser was closed, the user log out.

Ok, but as said above:

Web services don’t log people out unless specifically "Log out" was used. Otherwise people have to log in every time they start up their computer, or close the browser (accidentally or not) and this is annoying.

Regarding the technical stuff, someone more technical (like @rullzer @MorrisJobke @juliushaertl) will have to comment. :)

thank you for your patience:) and your work!

FYI, added this back in the VM as users requested it.

No option for automatic logout on browser close becomes problematic if nextcloud is used for another service via OAuth. For example I use my service to login to nextcloud (with help of Social Login App). When I logout from my service, I close the browser, but forgot to logout from Nextcloud.
In this case another person can access my Nextcloud account when he opens the browser again.

If I recall correctly, there is no API to logout the user from nextcloud remotely.

FYI, added this back in the VM as users requested it.

@enoch85 If I understand correctly, this means that users will be logged out again after they browser has been closed when upgrading to Nextcloud 15? That would be such a relief as not being logged out automatically is a real concern when using public computers.

@ksmolder Yes that's correct. Though I changed it to 30 minutes in the latest version as I noticed some issues with uploading in the Web GUI.

You will automatcally be logged out, and if you want to be logged out faster than 30 minutes, then change it to whatever you like in config.php.

As there is no feedback since a while I will close this ticket. If this is still happening please make sure to upgrade to the latest version. After that, feel free to reopen.

@skjnldsv The default behavior is to stay logged in unless you click "Logout". This wasn't the behavior before and this ticket addresses that. So unless you will revert to the old behavior or set a sane default IMHO this ticket is still valid.

If by »session close« you mean »log out«, then this is intentional. Web services don’t log people out unless specifically "Log out" was used.

If you on the other hand don't intend to change it, it can remain closed.

No, iirc we tend to go the same way others big services are doing it.
Nowadays almost all the website I use keep me logged in (the only I have in mind is medium and it's a pain in the :peach: to login every day) :)

We removed the keep me logged in button for this exact purpose.

HI, imagine a laptop got stollen. What can an administrator do to log out the user remotely ?

HI, imagine a laptop got stollen. What can an administrator do to log out the user remotely ?

The user can simply log in on any other device and go to their session overview to close the session. If the laptop has a desktop client with files, the remote wipe function will remove all the files from the laptop. For privacy reasons, the admin can not control individual sessions, only wipe all devices and close all sessions from the user.

Here is a screenshot.