-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle session closure properly for redirecting to a controller in a post_login hook #1303
Comments
Not sure whether it is of any help, by coincidence I saw that the recently reported #1282 has the same stacktrace, but in a different testing scenario. Maybe there is some correlation? If yes, one fix could close two issues 😋 |
@GitHubUser4234 I ran into a similar issue latly, so please retry on master, whether 2cd92d0 fixes the issue |
@nickvergessen : Thanks for the hint, I just retried, but unfortunately the error is still there. Line numbers of the stacktrace remain unchanged. |
As discussed with @nickvergessen in IRC, this can quickly be reproduced by adding the following lines to server/apps/dav/lib/HookManager.php Line 143 in ce964f0
The error would then occur in the server log (NOT nc log), for instance on Apache in the error_log / ssl_error_log file. |
Ran into the same issue while trying to have #1893 in a separate app. |
More informations before the session issue itself happens. The default encryption module app is enabled but not used.
|
Exact the same stacktrace as in my first post appears in your logs? And also a similar situation (post_login hook -> Controller)? |
@LukasReschke and @nickvergessen want to look into this again for Nextcloud 11 |
Yes.
No, trying to delete an user and disconnect him. |
Very happy, thanks guys :) |
Interesting information, so seems the problem might have a wider impact, hm... |
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Minimal example is in the branch minimal-example-for-1303. See 0191995 To test this try to login and look at
cc @rullzer |
If the session is cleared and closed for whatever reason the loadVersion will write to the session anyways. This will lead to an exception. This should fix #1303 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Thanks a lot @MorrisJobke @nickvergessen @LukasReschke @rullzer for the fix :)) The fix solves the major part of the problem, however a flaw has been found which I'm currently discussing with @LukasReschke : Remove |
A reminder for everyone still running into the same problem even after applying the fix: In case the methods involved work with sessions, you also need add the "@usesession" annotation for them. |
Mmmm @GitHubUser4234 I think this is because we do write a requesttoken into the session. Then the second time we want to compare that but it fails hard. I will discuss with @LukasReschke and see if we can fix this. |
Awesome :)) |
As discussed today on IRC. Lets try to solve this somewhat safe early in the 12 cycle. |
'early' would be now, I suppose :D |
Hehe, yeah would be really great if someone could have a look at it :) |
@rullzer Hem, hem :) |
Ah yes. sorry this slipped off my radar. No promises but I have it on the list for this week... Now we just pray nothing comes up |
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This is a hacky way to allow the use case of #1303. What happens is 1. User tries to login 2. PreLoginHook kicks in and figures out that the user need to change their LDAP password or whatever => redirects user 3. While loading the redirect some logic of ours kicks in and logouts the user (thus clearing the session). 4. We render the new page but now the session and the page disagree about the CSRF token This is kind of hacky but I don't think it introduces new attack vectors. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Do not clear CSRF token on logout (fix for #1303)
Cool, it has been merged, thanks a lot!!! |
When a redirect to a controller is performed within the method of a post_login hook, an internal error occurs and gets printed in the webserver log (not NC log):
Here is an example code of this happening:
Redirect in the method of a post_login hook
Target method of the controller
The problem is caused by the CryptoSessionData trying to close a session that is already closed. Even if the example code didn't include any session related code, the error would still occur (this has been tested).
The issue has been discussed with @LukasReschke with the result that further investigation would be necessary on whether session closure is actually necessary in this situation and if yes, how to handle session closure properly.
PR #1023 depends on this, any help is appreciated, thanks 😃
Edit: A subsequent call to the next method within the controller requiring CSRF fails saying "CSRF check failed", even though a request token was posted to the server correctly. Probably the token got lost somehow because for this call an attempt to close the session is made yet again, resulting in the same stacktrace as above. So it looks like not trying to close the session would be of a help?
The text was updated successfully, but these errors were encountered: