User password change leads to logout of all other users #17166
Description
Steps to reproduce
- Open two private tabs in your browser
- Log into your nextcloud with two different users
- Change the password in the settings/security for user A
- User B is logged out, user A stays logged in. (Users C, D, etc. are logged out too)
Has been tested and reproduced on different NC instances (15.0.11, 16.0.4).
SQL query that may cause the problem:
DELETE FROM oc_authtoken WHERE (type = '0') AND (id <> '2') AND (version = 2)
Expected behaviour
All users stay logged in, when one user changes his password.
Actual behaviour
When one user changes his password all other users lose their sessions and are logged out.
Server configuration detail
Operating system: Linux 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64
Webserver: Apache/2.4.29 (Ubuntu) (apache2handler)
Database: mysql 10.3.18
PHP version:
7.2.19-0ubuntu0.18.04.2
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, sodium, session, standard, apache2handler, mysqlnd, PDO, xml, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, json, exif, mysqli, pdo_mysql, Phar, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache
Nextcloud version: 16.0.4 - 16.0.4.1
Updated from an older Nextcloud/ownCloud or fresh install: fresh install
Where did you install Nextcloud from: nextcloud
Signing status
Array
(
)
List of activated apps
Enabled:
- accessibility: 1.2.0
- activity: 2.9.1
- bruteforcesettings: 1.4.0
- cloud_federation_api: 0.2.0
- comments: 1.6.0
- dav: 1.9.2
- federatedfilesharing: 1.6.0
- federation: 1.6.0
- files: 1.11.0
- files_pdfviewer: 1.5.0
- files_rightclick: 0.13.0
- files_sharing: 1.8.0
- files_texteditor: 2.8.0
- files_trashbin: 1.6.0
- files_versions: 1.9.0
- files_videoplayer: 1.5.0
- firstrunwizard: 2.5.0
- gallery: 18.3.0
- issuetemplate: 0.5.0
- logreader: 2.1.0
- lookup_server_connector: 1.4.0
- nextcloud_announcements: 1.5.0
- oauth2: 1.4.2
- password_policy: 1.6.0
- privacy: 1.0.0
- provisioning_api: 1.6.0
- recommendations: 0.4.0
- serverinfo: 1.6.0
- sharebymail: 1.6.0
- support: 1.0.0
- survey_client: 1.4.0
- systemtags: 1.6.0
- theming: 1.7.0
- twofactor_backupcodes: 1.5.0
- updatenotification: 1.6.0
- viewer: 1.1.0
- workflowengine: 1.6.0
Disabled:
- admin_audit
- encryption
- files_external
- notifications
- user_ldap
Configuration (config/config.php)
{
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"10.0.59.241"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "16.0.4.1",
"overwrite.cli.url": "http:\/\/10.0.59.241\/nextcloud",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true
}
Are you using external storage, if yes which one: No
Are you using encryption:
Are you using an external user-backend, if yes which one: No
Client configuration
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0
Operating system: macOS 10.14.6