Token expired. Please reload page on fresh Owncloud 6.0.2

[Der-Zohan]

Hello,

I've installed an fresh Owncloud 6.0.2 and get this error every time I try to enable or disable an app.

Kernel: Linux version 3.0.36+
OS: Ubuntu/Linaro 4.8.1-10ubuntu7
Owncloud: 6.0.2
Webserver: Apache 2.4.6
Browser: Firefox 27; IE11
DB: MySQL

Log:

Edit:
When I disable the function to force ssl and connect over an http connection to owncloud I can enable and disable apps.

[karlitschek]

@tanghus What do you think?

[Niduroki]

@karlitschek that logmessage is unrelated and fixed in the next minor release owncloud/contacts#405

I'm having the same issue by the way. I can't change avatars, load previews, do anything that's not done in the initial repsonse. Everything ajax-y is broken …

@LukasReschke you're the session/auth/security guy …

[LukasReschke]

Could you please post your config.php here?

[Niduroki]

It's actually working for me on stable6, but not on master:

<?php
$CONFIG = array (
  'instanceid' => 'oceaab65ce89',
  'passwordsalt' => '*** Removed for security reasons',
  'trusted_domains' => 
  array (
    0 => 'testcloud.ts.unde.re',
  ),
  'datadirectory' => '/home/http/testcloud/data',
  'dbtype' => 'sqlite3',
  'version' => '6.90.0.1',
  'installed' => true,
  'basic_auth' => false,
  'mail_smtpmode' => 'php',
  'mail_smtpsecure' => 'tls',
  'mail_smtpauth' => true,
  'forcessl' => true,
);

Regarding trusted_domains: I access this instance via 2 domains, but mainly from the one that's already in the trsuted_domains array.

[tanghus]

Try to do some poor-man debugging by adding

console.log('requesttoken', requesttoken);

just before

xhr.setRequestHeader('requesttoken', oc_requesttoken);

in
https://github.com/owncloud/core/blob/master/core/js/oc-requesttoken.js#L2
You will have to add define('DEBUG', true); to config/config.php

[tanghus]

The requesttoken stuff has changed quite a bit, and while searching for it, I found it mentioned in core.json. What is that file used for?

[Niduroki]

@tanghus console.log('requesttoken', oc_requesttoken); 😉

This just spams my requesttoken to the console:
requesttoken 3e6fbf9242a02471f403
That's nothing new though, as network-requests like the avatar-requests include the requesttoken for me, so it's not undefined.

[tanghus]

@Kondou-ger and they don't change value?

[tanghus]

Then we're in OC\Server. Pulling in @bartv2 as he wrote that piece of code
https://github.com/owncloud/core/blob/master/lib/private/server.php#L32

[Niduroki]

@tanghus they change everytime I reload. E.g.:
Go to https://testcloud.ts.unde.re/index.php/apps/files

requesttoken ad4ef3e0ebe231bd7352
requesttoken ad4ef3e0ebe231bd7352
requesttoken ad4ef3e0ebe231bd7352
requesttoken ad4ef3e0ebe231bd7352
requesttoken ad4ef3e0ebe231bd7352
requesttoken ad4ef3e0ebe231bd7352 

Go to https://testcloud.ts.unde.re/index.php/settings/personal

requesttoken 8d46b2a2b4819ce8c9a3
requesttoken 8d46b2a2b4819ce8c9a3
requesttoken 8d46b2a2b4819ce8c9a3
requesttoken 8d46b2a2b4819ce8c9a3
requesttoken 8d46b2a2b4819ce8c9a3
requesttoken 8d46b2a2b4819ce8c9a3

Go to https://testcloud.ts.unde.re/index.php/settings/apps?installed

requesttoken ccb26ea579c726aefb06
requesttoken ccb26ea579c726aefb06
requesttoken ccb26ea579c726aefb06
requesttoken ccb26ea579c726aefb06

[stephane-martin]

What kind of auth do you use? Native owncloud? Http basic? With ldap
backend? I had similar problems with owncloud 5. Was related to session
expiration and http basic auth.

Regards,
Stephane
Le 13 mars 2014 13:58, "Christopher Schäpers" notifications@github.com a
écrit :

@tanghus https://github.com/tanghus they change everytime I reload.
E.g.:
Go to https://testcloud.ts.unde.re/index.php/apps/files

requesttoken ad4ef3e0ebe231bd7352
requesttoken ad4ef3e0ebe231bd7352
requesttoken ad4ef3e0ebe231bd7352
requesttoken ad4ef3e0ebe231bd7352
requesttoken ad4ef3e0ebe231bd7352
requesttoken ad4ef3e0ebe231bd7352

Go to https://testcloud.ts.unde.re/index.php/settings/personal

requesttoken 8d46b2a2b4819ce8c9a3
requesttoken 8d46b2a2b4819ce8c9a3
requesttoken 8d46b2a2b4819ce8c9a3
requesttoken 8d46b2a2b4819ce8c9a3
requesttoken 8d46b2a2b4819ce8c9a3
requesttoken 8d46b2a2b4819ce8c9a3

Go to https://testcloud.ts.unde.re/index.php/settings/apps?installed

requesttoken ccb26ea579c726aefb06
requesttoken ccb26ea579c726aefb06
requesttoken ccb26ea579c726aefb06
requesttoken ccb26ea579c726aefb06

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/7707#issuecomment-37529438
.

[Niduroki]

Native owncloud, but my installation is protected via basic_auth (which I'm not using for auth though)

Basic_Auth might be the problem here …

[tanghus]

they change everytime I reload. E.g.:

That's the intended way. At least it was. @karlitschek I don't recall if requesttoken has been saved in session from the start?

[tanghus]

@Kondou-ger didn't you implement something related to disabling checking basic auth?

[Niduroki]

yeah, but that's only on login – I'm not sure whether that disabled all http_basic stuff as well …

[LukasReschke]

That's the intended way. At least it was.

It should store the token as reusing it is not a problem.

[tanghus]

@Kondou-ger you can try to do some logging in OC_Util::callRegister() and see if the requesttoken generated/read is the same as the one printed in oc-requesttoken.js

[Niduroki]

I just disabled basic_auth temporarily and it's still happening.
Having a look at @tanghus's hint.

[Niduroki]

@tanghus the logged requesttoken in OC_Util::callRegister() and oc_requesttoken match.

[Niduroki]

Found the culprit commit by going back the history: fc209a5

Uncommenting that line solves the issue for me.

[LukasReschke]

My best guess is that somehow login() is called on every of your request which regenerates the session which in turn will generate a new request token.

Could you verify whether this is the case? - i.e. by adding a logging line to the function.

[Niduroki]

@LukasReschke yup, that's it:
One request:

{"app":"OC\\User","message":"login called","level":2,"time":"2014-04-02T11:52:45+00:00"}
{"app":"OC\\User","message":"login called","level":2,"time":"2014-04-02T11:52:45+00:00"}
{"app":"OC\\User","message":"login called","level":2,"time":"2014-04-02T11:52:46+00:00"}
{"app":"OC\\User","message":"login called","level":2,"time":"2014-04-02T11:52:46+00:00"}
{"app":"OC\\User","message":"login called","level":2,"time":"2014-04-02T11:52:46+00:00"}
{"app":"OC\\User","message":"login called","level":2,"time":"2014-04-02T11:52:46+00:00"}
{"app":"OC\\User","message":"login called","level":2,"time":"2014-04-02T11:52:47+00:00"}
{"app":"OC\\User","message":"login called","level":2,"time":"2014-04-02T11:52:47+00:00"}
{"app":"OC\\User","message":"login called","level":2,"time":"2014-04-02T11:52:47+00:00"}
{"app":"OC\\User","message":"login called","level":2,"time":"2014-04-02T11:52:47+00:00"}
{"app":"OC\\User","message":"login called","level":2,"time":"2014-04-02T11:52:47+00:00"}

[DeepDiver1975]

Autch! 💣

[TheBoojum]

Hi,

I also have just installed OC 6.0.2 on a hosted web server and I'm currently configuring, setting up and 'testing' the installation for use as a group share. I'm getting the same 'token expired' problem on practically every action I take.

Is there anything being done to fix this and / or is there anything that I can do (as someone who knows little or nothing about PHP) to get round it?

[tanghus]

i.e. by adding a logging line to the function.

Try to do a debug_backtrace loop and find the caller.

[Niduroki]

Seems to be related to basic_auth after all …

This is debug_backtrace() for every call of login(), basic_auth_loginname and basic_auth_password were my actual data:

Array
(
    [0] => Array
        (
            [file] => /home/http/testcloud/lib/base.php
            [line] => 921
            [function] => login
            [class] => OC_User
            [type] => ::
            [args] => Array
                (
                    [0] => basic_auth_loginname
                    [1] => basic_auth_password
                )

        )

    [1] => Array
        (
            [file] => /home/http/testcloud/lib/base.php
            [line] => 701
            [function] => tryBasicAuthLogin
            [class] => OC
            [type] => ::
            [args] => Array
                (
                )

        )

    [2] => Array
        (
            [file] => /home/http/testcloud/index.php
            [line] => 28
            [function] => handleRequest
            [class] => OC
            [type] => ::
            [args] => Array
                (
                )

        )

)

Looks like this one has to be bypassed if basic_auth is set to false in config.php as well. I'll make a PR for that.

[Niduroki]

@Der-Zohan @TheBoojum are you using basic_auth for your setups as well?

[TheBoojum]

@Kondou-ger

Honest answer: not sure.

I'm certainly not using LDAP authorisation. At the moment I'm just using the user names and passwords set up within OC. I'm guessing that's Native ownCloud and not basic_auth.

[Niduroki]

@TheBoojum try commenting out/removing this line temporararily. If the problem is fixed my PR solves it …

[TheBoojum]

@Kondou-ger

Oooh! We really didn't like that. Just to confirm, I commented out the line you indicated in the file 'base.php' in the 'lib' directory.

The result was that the site lost all of its formatting. An example is attached.

[Niduroki]

@TheBoojum I just tested commenting out named line in both stable6 and master and they both still look fine … Have a look at what css and js files aren't loaded and in your owncloud.log … These maybe shed some light on your issue …

[TheBoojum]

@Kondou-ger

A job for tomorrow - OK, actually later today - me thinks.

[TheBoojum]

@Kondou-ger

Looked at the logon page with both the unmodded and modded code.

The following files were loaded with both versions:
/core/img/actions/password.svg
/core/img/actions/user.svg
/core/img/favicon.png
/core/img/loading-dark.gif
/core/img/logo.svg
/core/js/visitortimezone.js?v=da54dd5a0398011cdfa50d559c2c0ef8
/index.php/core/js/config.js?v=da54dd5a0398011cdfa50d559c2c0ef8
/remote.php/core.css?v=da54dd5a0398011cdfa50d559c2c0ef8
/remote.php/core.js?v=da54dd5a0398011cdfa50d559c2c0ef8

The following were NOT loaded when I was using the code with the 'tryBasicAuthLogin' call commented out:
/core/img/breadcrumb.svg
/core/img/noise.png?2014-03-03T14:11:40Z
/index.php/apps/oclife/ajax/canEditTag.php
/index.php/core/ajax/translations.php
/index.php/core/routes.json

With the original code, the log file was empty. With the commented-out code there are about 120 lines. The vast majority are variations on:

{"app":"PHP","message":"Cannot modify header information - headers already sent by (output started at /var/sites/o/owncloud.thecogswells.co.uk/public_html/lib/base.php:1) at /var/sites/o/owncloud.thecogswells.co.uk/public_html/lib/private/template.php#69","level":3,"time":"2014-04-03T09:58:14+00:00"}

interspersed with a few versions of:

{"app":"PHP","message":"session_start() [function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /var/sites/o/owncloud.thecogswells.co.uk/public_html/lib/base.php:1) at /var/sites/o/owncloud.thecogswells.co.uk/public_html/lib/private/session/internal.php#21","level":3,"time":"2014-04-03T09:58:14+00:00"}

Hope that helps.

[Niduroki]

@TheBoojum try manually applying https://github.com/owncloud/core/pull/7852/files then. That PR is way better than mine.

[PVince81]

The PR has been merged to master.
@Kondou-ger if you think it fixes the issue then this can be closed.

@TheBoojum did you have any luck with that PR ?

[Niduroki]

@Der-Zohan @TheBoojum try again with latest master. #7852 has been merged and this should be fixed now. Reopen if this isn't fixed by #7852

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.