Add uid to delete temp token query

[kesselb]

Fix #17166
Fix #17035

After a password change all temporary tokens (for every user) except the current token are deleted. Not sure why this popups now because the code is there for a long time 😕

[ChristophWurst]

Oh. Yeah. 🙈

[ChristophWurst]

Not sure why this popups now because the code is there for a long time confused

OTOH where do we even use temporary tokens except for the login flow? Browser sessions get a remembered token by default.

[rullzer]

/backport to stable17

[rullzer]

/backport to stable16

[rullzer]

/backport to stable15

[backportbot-nextcloud]

backport to stable17 in #17196

[backportbot-nextcloud]

backport to stable16 in #17197

[backportbot-nextcloud]

backport to stable15 in #17198

[kesselb]

Not sure why this popups now because the code is there for a long time confused

OTOH where do we even use temporary tokens except for the login flow? Browser sessions get a remembered token by default.

server/lib/private/User/Session.php

Line 682 in 0a874c5

$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);

I'm not sure. I guess from the above code that all session tokens are temporary. The createSessionToken method is always called with DO_NOT_REMEMBER which is the default. I really wonder why there are not more reports about that problem.

[jbrrrr]

Not sure why this popups now because the code is there for a long time confused

OTOH where do we even use temporary tokens except for the login flow? Browser sessions get a remembered token by default.

@ChristophWurst I am not sure, what you mean by that?! If temporary tokens only are used for the login flow, why are all the other users logged out?? Are there more bugs in the session handling? Test it for yourself on a fresh install without this patch!
This IS a really serious bug IMHO.

[jbrrrr]

@kesselb This problem is not easy to spot on small instances (how many password changes do occur per day?). On our big instance in a school environment the problem peaked with all the new user accounts and password changes with the beginning of a new school year... Our Nextcloud was almost unusable - but it took us weeks and months to isolate the cause.

[kesselb]

I think there's been a misunderstanding 😟

I'm sorry if you had the impression that someone criticized your report. @rullzer, @ChristophWurst and I agree that this is broken right now and needs to be fixed. That's the reason why this pull request is already merged and backported to nextcloud 17, 16 and 15.

We had two reports for this kind of issue in the last 48 hours. If something like this happens its good to check if there could be another reason (like another code change).

a school environment the problem peaked with all the new user accounts and password changes with the beginning of a new school year

Thanks for the additional context. I guess that's an issue for many instances but also hard to reproduce (drawing the line between someone changes his password and some people are logged out). That could explain why there are no more reports.

Are there more bugs in the session handling

Probably like in every software. There are tests to ensure that code changes does not break existing features but this cannot prevent new bugs.

[jbrrrr]

@kesselb No, no there is no misunderstanding - I did not feel criticized at all.
I only wanted to make sure, that this does not only affect the login process (I read your post, where you mentioned that yourself unfortunately only after my first post... sorry)
We are really grateful for your support and quick reaction!

[ChristophWurst]

Yep, I confused the temporary property with the remembered one. It's indeed a problem for all browser sessions. Fixes will be releases soon. In the meantime you can apply https://patch-diff.githubusercontent.com/raw/nextcloud/server/pull/17194.patch manually

[jbrrrr]

Yes - we applied the patch first thing yesterday morning 👍 - Thanks!