cookie to receive the login in the browser can not be read -> user is logged out after closing the browser

[4tler]

Version: NC 20.0.2
PHP: 7.4
web: NGinx
tested browsers: Firefox, Chrome

Readjust error:

1. create new user
2. insert a space in the user name (e.g. Hans Peter)
3. close browser
4. open browser

If the username contains a space, the cookie which indicates that you are already logged in to this system can probably not be read or correctly assigned. This means that you will have to log in again and again as soon as the browser is closed.

This was tested on 3 NC instances by creating one user with and one without spaces. The one without spaces remained logged in, the one with had to log in again and again.

[mziech]

I was observing the same behavior on my instance, essentially all users with a space in the name have to login twice after the session expired.

I tracked down the issue to a non-obvious change in PHP 7.4.2 and 7.4.3, which makes cookie encoding and decoding RFC compliant. See:

• https://bugs.php.net/bug.php?id=78929
• Fix #78929: Fix a cookie parsing value. Switch to a php_raw_url_decode() php/php-src#4989
• php/php-src@addc3c9

Basically PHP < 7.4.2 would encode Hans Peter as Hans+Peter and decode back to Hans Peter. However, PHP > 7.4.3 encode Hans Peter to Hans%20Peter and decode Hans+Peter to Hans+Peter leading to a clash in the expected UID.

php > echo(rawurldecode(urlencode('Hans Peter')));
Hans+Peter
php > echo(urldecode(rawurlencode('Hans Peter')));
Hans Peter
php > echo(urldecode(urlencode('Hans Peter')));
Hans Peter
php > echo(rawurldecode(rawurlencode('Hans Peter')));
Hans Peter

Since NextCloud uses its own cookie encoding function, the PHP 7.4.3 encoding fix won't work. I fixed the issue by changing urlencode to rawurlencode in https://github.com/nextcloud/server/blob/master/lib/private/Http/CookieHelper.php#L46