Access forbidden: CSRF check failed on logout

[alvvdc]

Steps to reproduce

1. Install Lighttpd and PHP.
2. Download Nextcloud server ZIP.
3. Log in Nextcloud, and when you log out, in the most cases you get the next error:

Access forbidden
CSRF check failed

Expected behaviour

Log out succesfully.

Actual behaviour

When I try logout, I get the telled error. Then, if I refresh the website the session is still active.

In Network Firefox explorer (from F12) the logout request get a 412 status code:

This error is with Lighttpd web service, with Nginx works fine.

Server configuration

Operating system:
Debian / Raspbian
Web server:
Lighttpd
Database:
MariaDB
PHP version:
PHP 7.3
Nextcloud version: (see Nextcloud admin page)
16.0.4
Updated from an older Nextcloud/ownCloud or fresh install:
Fresh install
Where did you install Nextcloud from:
https://download.nextcloud.com/server/releases/nextcloud-16.0.4.zip

[kesselb]

Anything in the logs?

[alvvdc]

Anything in the logs?

Nothing in Nextcloud logs with debug 0 level.
Nothing in PHP logs.
In Lighttpd:

192.168.1.8 192.168.1.29 - [09/Sep/2019:15:08:08 +0100] "GET /nextcloud/index.php/logout?requesttoken=FfsiGZcBHPF%2BqSnsIhrlZNOXbAr%2F682WV718xe7WqfI%3D%3AfI1VL8ZUKLY4hlqKbG2OIpWlLlO6qJuiP9kT9qfn7MY%3D HTTP/1.1" 412 11746 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"

[UweDoe]

Hi, I have the same problem running nextcloud on a rasberry PI3 using DietPi/Nextcloud/Lighttpd and reproduced as well running this system in a VM using virtual box.
Setting the logging of nextcloud to debug I get:

[core] Debug: OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException: CSRF check failed at <>

0. /var/www/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php line 95
   OC\AppFramework\Middleware\Security\SecurityMiddleware->beforeController(OC\Core\Controller\LoginController {}, "logout")
1. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 97
   OC\AppFramework\Middleware\MiddlewareDispatcher->beforeController(OC\Core\Controller\LoginController {}, "logout")
2. /var/www/nextcloud/lib/private/AppFramework/App.php line 126
   OC\AppFramework\Http\Dispatcher->dispatch(OC\Core\Controller\LoginController {}, "logout")
3. /var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
   OC\AppFramework\App::main("OC\Core\Controller\LoginController", "logout", OC\AppFramework\ ... {}, {_route: "core.login.logout"})
4. <>
   OC\AppFramework\Routing\RouteActionHandler->__invoke({_route: "core.login.logout"})
5. /var/www/nextcloud/lib/private/Route/Router.php line 297
   undefinedundefinedcall_user_func(OC\AppFramework\ ... {}, {_route: "core.login.logout"})
6. /var/www/nextcloud/lib/base.php line 975
   OC\Route\Router->match("/logout")
7. /var/www/nextcloud/index.php line 42
   OC::handleRequest()

GET /nextcloud/index.php/logout?requesttoken=DTGY0BwWUvscxsw7frSaWhfTaRezU1t9SeeJGGXoF%2BQ%3D%3AfXqpk1NEZqNyrr9YDPL5KFWQEFLhZTIuI9%2FmQRCQZIE%3D
from 192.168.16.37 by admin at 2019-09-23T14:33:41+00:00

Nextcloud
Version: 16.0.4.1
Installierte Apps: 36
Apps mit verfügbaren Aktualisierungen: 1

PHP
Version: 7.3.9
Arbeitspeicher-Grenzwert: 128 MB
Maximale Ausführungszeit: 3600
Maximale Größe zum Hochladen: 8388608 TB

Datenbank
Art: mysql
Version: 10.3.17
Größe: 1,3 MB

[UweDoe]

The bug is easy to reproduce. Tell me, if more traces are needed. I can deliver them quickly. As it is now, the combination Nextcloud/Lighttpd can't be used productively.
If you want to reproduce it by yourself do the following steps:

1. Install virtual box https://www.virtualbox.org/
2. Download DietPi for Virtual Box and install it https://dietpi.com/
3. start dietpi-software and install nextcloud
4. start browser on host system and login to nextcloud page of guest system
5. logout nextcloud in browser
   The fault shows up extremly often. Typically you need 5 faulty logout trys until you have a successful one.

[kesselb]

1. Install virtual box https://www.virtualbox.org/

2. Download DietPi for Virtual Box and install it https://dietpi.com/

3. start dietpi-software and install nextcloud

4. start browser on host system and login to nextcloud page of guest system

5. logout nextcloud in browser
   The fault shows up extremly often. Typically you need 5 faulty logout trys until you have a successful one.

Logout works in Chromium and Firefox.

[kesselb]

cc @MichaIng any idea?

[kesselb]

OK. I can reproduce it somehow. Like you said login, upload some files, delete some files or do something else and try to logout afterwards.

        public function isTokenValid(CsrfToken $token): bool {
                if(!$this->sessionStorage->hasToken()) {
                        return false;
                }

                $isEqual = hash_equals($this->sessionStorage->getToken(), $token->getDecryptedValue());
                if (!$isEqual) {
                        \OC::$server->getLogger()->warning('going to validate csrf token "' . $this->sessionStorage->getToken() . '" with "' . $token->getDecryptedValue() . '"');
                }

                return $isEqual;
        }

Added some logging to isTokenValid and ...

cc @rullzer @ChristophWurst 😕

[ChristophWurst]

Could you add some logging to \OC\Security\CSRF\CsrfToken::getDecryptedValue so we see the values of the individual parts?

[MichaIng]

I was able to replicate as well on fresh NC17 installed on DietPi Buster VirtualBox image.
@kesselb you tested on DietPi as well or another system? Just in case our default Lighttpd config on Debian Buster based images:

lighttpd -pf /etc/lighttpd/lighttpd.conf

config {
    var.PID                        = 18245
    var.CWD                        = "/root"
    mimetype.assign                = (
        ".pcf.Z"       => "application/x-font-pcf",
        ".tar.bz2"     => "application/x-gtar-compressed",
        ".tar.gz"      => "application/x-gtar-compressed",
        ".ez"          => "application/andrew-inset",
        ".anx"         => "application/annodex",
        # 5
        ".atom"        => "application/atom+xml",
        ".atomcat"     => "application/atomcat+xml",
        ".atomsrv"     => "application/atomserv+xml",
        ".lin"         => "application/bbolin",
        ".cu"          => "application/cu-seeme",
        # 10
        ".davmount"    => "application/davmount+xml",
        ".dcm"         => "application/dicom",
        ".tsp"         => "application/dsptype",
        ".es"          => "application/ecmascript",
        ".epub"        => "application/epub+zip",
        # 15
        ".pfr"         => "application/font-tdpfr",
        ".spl"         => "application/futuresplash",
        ".gz"          => "application/gzip",
        ".hta"         => "application/hta",
        ".jar"         => "application/java-archive",
        # 20
        ".ser"         => "application/java-serialized-object",
        ".class"       => "application/java-vm",
        ".js"          => "application/javascript",
        ".json"        => "application/json",
        ".m3g"         => "application/m3g",
        # 25
        ".hqx"         => "application/mac-binhex40",
        ".cpt"         => "application/mac-compactpro",
        ".nb"          => "application/mathematica",
        ".nbp"         => "application/mathematica",
        ".mbox"        => "application/mbox",
        # 30
        ".mdb"         => "application/msaccess",
        ".doc"         => "application/msword",
        ".dot"         => "application/msword",
        ".mxf"         => "application/mxf",
        ".asn"         => "application/octet-stream",
        # 35
        ".bin"         => "application/octet-stream",
        ".deploy"      => "application/octet-stream",
        ".ent"         => "application/octet-stream",
        ".msp"         => "application/octet-stream",
        ".msu"         => "application/octet-stream",
        # 40
        ".oda"         => "application/oda",
        ".opf"         => "application/oebps-package+xml",
        ".ogx"         => "application/ogg",
        ".one"         => "application/onenote",
        ".onepkg"      => "application/onenote",
        # 45
        ".onetmp"      => "application/onenote",
        ".onetoc2"     => "application/onenote",
        ".pdf"         => "application/pdf",
        ".pgp"         => "application/pgp-encrypted",
        ".key"         => "application/pgp-keys",
        # 50
        ".sig"         => "application/pgp-signature",
        ".prf"         => "application/pics-rules",
        ".ai"          => "application/postscript",
        ".eps"         => "application/postscript",
        ".eps2"        => "application/postscript",
        # 55
        ".eps3"        => "application/postscript",
        ".epsf"        => "application/postscript",
        ".epsi"        => "application/postscript",
        ".ps"          => "application/postscript",
        ".rar"         => "application/rar",
        # 60
        ".rdf"         => "application/rdf+xml",
        ".rtf"         => "application/rtf",
        ".stl"         => "application/sla",
        ".smi"         => "application/smil+xml",
        ".smil"        => "application/smil+xml",
        # 65
        ".wasm"        => "application/wasm",
        ".xht"         => "application/xhtml+xml",
        ".xhtml"       => "application/xhtml+xml",
        ".xml"         => "application/xml",
        ".xsd"         => "application/xml",
        # 70
        ".dtd"         => "application/xml-dtd",
        ".xsl"         => "application/xslt+xml",
        ".xslt"        => "application/xslt+xml",
        ".xspf"        => "application/xspf+xml",
        ".zip"         => "application/zip",
        # 75
        ".apk"         => "application/vnd.android.package-archive",
        ".cdy"         => "application/vnd.cinderella",
        ".ddeb"        => "application/vnd.debian.binary-package",
        ".deb"         => "application/vnd.debian.binary-package",
        ".udeb"        => "application/vnd.debian.binary-package",
        # 80
        ".sfd"         => "application/vnd.font-fontforge-sfd",
        ".kml"         => "application/vnd.google-earth.kml+xml",
        ".kmz"         => "application/vnd.google-earth.kmz",
        ".xul"         => "application/vnd.mozilla.xul+xml",
        ".xlb"         => "application/vnd.ms-excel",
        # 85
        ".xls"         => "application/vnd.ms-excel",
        ".xlt"         => "application/vnd.ms-excel",
        ".xlam"        => "application/vnd.ms-excel.addin.macroEnabled.12",
        ".xlsb"        => "application/vnd.ms-excel.sheet.binary.macroEnabled.12",
        ".xlsm"        => "application/vnd.ms-excel.sheet.macroEnabled.12",
        # 90
        ".xltm"        => "application/vnd.ms-excel.template.macroEnabled.12",
        ".eot"         => "application/vnd.ms-fontobject",
        ".thmx"        => "application/vnd.ms-officetheme",
        ".cat"         => "application/vnd.ms-pki.seccat",
        ".pps"         => "application/vnd.ms-powerpoint",
        # 95
        ".ppt"         => "application/vnd.ms-powerpoint",
        ".ppam"        => "application/vnd.ms-powerpoint.addin.macroEnabled.12",
        ".pptm"        => "application/vnd.ms-powerpoint.presentation.macroEnabled.12",
        ".sldm"        => "application/vnd.ms-powerpoint.slide.macroEnabled.12",
        ".ppsm"        => "application/vnd.ms-powerpoint.slideshow.macroEnabled.12",
        # 100
        ".potm"        => "application/vnd.ms-powerpoint.template.macroEnabled.12",
        ".docm"        => "application/vnd.ms-word.document.macroEnabled.12",
        ".dotm"        => "application/vnd.ms-word.template.macroEnabled.12",
        ".odc"         => "application/vnd.oasis.opendocument.chart",
        ".odb"         => "application/vnd.oasis.opendocument.database",
        # 105
        ".odf"         => "application/vnd.oasis.opendocument.formula",
        ".odg"         => "application/vnd.oasis.opendocument.graphics",
        ".otg"         => "application/vnd.oasis.opendocument.graphics-template",
        ".odi"         => "application/vnd.oasis.opendocument.image",
        ".odp"         => "application/vnd.oasis.opendocument.presentation",
        # 110
        ".otp"         => "application/vnd.oasis.opendocument.presentation-template",
        ".ods"         => "application/vnd.oasis.opendocument.spreadsheet",
        ".ots"         => "application/vnd.oasis.opendocument.spreadsheet-template",
        ".odt"         => "application/vnd.oasis.opendocument.text",
        ".odm"         => "application/vnd.oasis.opendocument.text-master",
        # 115
        ".ott"         => "application/vnd.oasis.opendocument.text-template",
        ".oth"         => "application/vnd.oasis.opendocument.text-web",
        ".pptx"        => "application/vnd.openxmlformats-officedocument.presentationml.presentation",
        ".sldx"        => "application/vnd.openxmlformats-officedocument.presentationml.slide",
        ".ppsx"        => "application/vnd.openxmlformats-officedocument.presentationml.slideshow",
        # 120
        ".potx"        => "application/vnd.openxmlformats-officedocument.presentationml.template",
        ".xlsx"        => "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
        ".xltx"        => "application/vnd.openxmlformats-officedocument.spreadsheetml.template",
        ".docx"        => "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
        ".dotx"        => "application/vnd.openxmlformats-officedocument.wordprocessingml.template",
        # 125
        ".cod"         => "application/vnd.rim.cod",
        ".mmf"         => "application/vnd.smaf",
        ".sdc"         => "application/vnd.stardivision.calc",
        ".sds"         => "application/vnd.stardivision.chart",
        ".sda"         => "application/vnd.stardivision.draw",
        # 130
        ".sdd"         => "application/vnd.stardivision.impress",
        ".sdf"         => "application/vnd.stardivision.math",
        ".sdw"         => "application/vnd.stardivision.writer",
        ".sgl"         => "application/vnd.stardivision.writer-global",
        ".sxc"         => "application/vnd.sun.xml.calc",
        # 135
        ".stc"         => "application/vnd.sun.xml.calc.template",
        ".sxd"         => "application/vnd.sun.xml.draw",
        ".std"         => "application/vnd.sun.xml.draw.template",
        ".sxi"         => "application/vnd.sun.xml.impress",
        ".sti"         => "application/vnd.sun.xml.impress.template",
        # 140
        ".sxm"         => "application/vnd.sun.xml.math",
        ".sxw"         => "application/vnd.sun.xml.writer",
        ".sxg"         => "application/vnd.sun.xml.writer.global",
        ".stw"         => "application/vnd.sun.xml.writer.template",
        ".sis"         => "application/vnd.symbian.install",
        # 145
        ".cap"         => "application/vnd.tcpdump.pcap",
        ".pcap"        => "application/vnd.tcpdump.pcap",
        ".vsd"         => "application/vnd.visio",
        ".vss"         => "application/vnd.visio",
        ".vst"         => "application/vnd.visio",
        # 150
        ".vsw"         => "application/vnd.visio",
        ".wbxml"       => "application/vnd.wap.wbxml",
        ".wmlc"        => "application/vnd.wap.wmlc",
        ".wmlsc"       => "application/vnd.wap.wmlscriptc",
        ".wpd"         => "application/vnd.wordperfect",
        # 155
        ".wp5"         => "application/vnd.wordperfect5.1",
        ".wk"          => "application/x-123",
        ".7z"          => "application/x-7z-compressed",
        ".abw"         => "application/x-abiword",
        ".dmg"         => "application/x-apple-diskimage",
        # 160
        ".bcpio"       => "application/x-bcpio",
        ".torrent"     => "application/x-bittorrent",
        ".bz2"         => "application/x-bzip",
        ".cab"         => "application/x-cab",
        ".cbr"         => "application/x-cbr",
        # 165
        ".cbz"         => "application/x-cbz",
        ".cda"         => "application/x-cdf",
        ".cdf"         => "application/x-cdf",
        ".vcd"         => "application/x-cdlink",
        ".pgn"         => "application/x-chess-pgn",
        # 170
        ".mph"         => "application/x-comsol",
        ".cpio"        => "application/x-cpio",
        ".dcr"         => "application/x-director",
        ".dir"         => "application/x-director",
        ".dxr"         => "application/x-director",
        # 175
        ".dms"         => "application/x-dms",
        ".wad"         => "application/x-doom",
        ".dvi"         => "application/x-dvi",
        ".gsf"         => "application/x-font",
        ".pfa"         => "application/x-font",
        # 180
        ".pfb"         => "application/x-font",
        ".pcf"         => "application/x-font-pcf",
        ".mm"          => "application/x-freemind",
        ".gan"         => "application/x-ganttproject",
        ".gnumeric"    => "application/x-gnumeric",
        # 185
        ".sgf"         => "application/x-go-sgf",
        ".gcf"         => "application/x-graphing-calculator",
        ".gtar"        => "application/x-gtar",
        ".taz"         => "application/x-gtar-compressed",
        ".tbz"         => "application/x-gtar-compressed",
        # 190
        ".tgz"         => "application/x-gtar-compressed",
        ".hdf"         => "application/x-hdf",
        ".hwp"         => "application/x-hwp",
        ".ica"         => "application/x-ica",
        ".info"        => "application/x-info",
        # 195
        ".ins"         => "application/x-internet-signup",
        ".isp"         => "application/x-internet-signup",
        ".iii"         => "application/x-iphone",
        ".iso"         => "application/x-iso9660-image",
        ".jam"         => "application/x-jam",
        # 200
        ".jnlp"        => "application/x-java-jnlp-file",
        ".jmz"         => "application/x-jmol",
        ".chrt"        => "application/x-kchart",
        ".kil"         => "application/x-killustrator",
        ".skd"         => "application/x-koan",
        # 205
        ".skm"         => "application/x-koan",
        ".skp"         => "application/x-koan",
        ".skt"         => "application/x-koan",
        ".kpr"         => "application/x-kpresenter",
        ".kpt"         => "application/x-kpresenter",
        # 210
        ".ksp"         => "application/x-kspread",
        ".kwd"         => "application/x-kword",
        ".kwt"         => "application/x-kword",
        ".latex"       => "application/x-latex",
        ".lha"         => "application/x-lha",
        # 215
        ".lyx"         => "application/x-lyx",
        ".lzh"         => "application/x-lzh",
        ".lzx"         => "application/x-lzx",
        ".book"        => "application/x-maker",
        ".fb"          => "application/x-maker",
        # 220
        ".fbdoc"       => "application/x-maker",
        ".fm"          => "application/x-maker",
        ".frame"       => "application/x-maker",
        ".frm"         => "application/x-maker",
        ".maker"       => "application/x-maker",
        # 225
        ".mif"         => "application/x-mif",
        ".m3u8"        => "application/x-mpegURL",
        ".application" => "application/x-ms-application",
        ".manifest"    => "application/x-ms-manifest",
        ".wmd"         => "application/x-ms-wmd",
        # 230
        ".wmz"         => "application/x-ms-wmz",
        ".bat"         => "application/x-msdos-program",
        ".com"         => "application/x-msdos-program",
        ".dll"         => "application/x-msdos-program",
        ".exe"         => "application/x-msdos-program",
        # 235
        ".msi"         => "application/x-msi",
        ".nc"          => "application/x-netcdf",
        ".pac"         => "application/x-ns-proxy-autoconfig",
        ".nwc"         => "application/x-nwc",
        ".o"           => "application/x-object",
        # 240
        ".oza"         => "application/x-oz-application",
        ".p7r"         => "application/x-pkcs7-certreqresp",
        ".crl"         => "application/x-pkcs7-crl",
        ".pyc"         => "application/x-python-code",
        ".pyo"         => "application/x-python-code",
        # 245
        ".qgs"         => "application/x-qgis",
        ".shp"         => "application/x-qgis",
        ".shx"         => "application/x-qgis",
        ".qtl"         => "application/x-quicktimeplayer",
        ".rdp"         => "application/x-rdp",
        # 250
        ".rpm"         => "application/x-redhat-package-manager",
        ".rss"         => "application/x-rss+xml",
        ".rb"          => "application/x-ruby",
        ".sce"         => "application/x-scilab",
        ".sci"         => "application/x-scilab",
        # 255
        ".xcos"        => "application/x-scilab-xcos",
        ".shar"        => "application/x-shar",
        ".swf"         => "application/x-shockwave-flash",
        ".swfl"        => "application/x-shockwave-flash",
        ".scr"         => "application/x-silverlight",
        # 260
        ".sql"         => "application/x-sql",
        ".sit"         => "application/x-stuffit",
        ".sitx"        => "application/x-stuffit",
        ".sv4cpio"     => "application/x-sv4cpio",
        ".sv4crc"      => "application/x-sv4crc",
        # 265
        ".tar"         => "application/x-tar",
        ".gf"          => "application/x-tex-gf",
        ".pk"          => "application/x-tex-pk",
        ".texi"        => "application/x-texinfo",
        ".texinfo"     => "application/x-texinfo",
        # 270
        ".roff"        => "application/x-troff",
        ".t"           => "application/x-troff",
        ".tr"          => "application/x-troff",
        ".man"         => "application/x-troff-man",
        ".me"          => "application/x-troff-me",
        # 275
        ".ms"          => "application/x-troff-ms",
        ".ustar"       => "application/x-ustar",
        ".src"         => "application/x-wais-source",
        ".wz"          => "application/x-wingz",
        ".crt"         => "application/x-x509-ca-cert",
        # 280
        ".xcf"         => "application/x-xcf",
        ".fig"         => "application/x-xfig",
        ".xpi"         => "application/x-xpinstall",
        ".xz"          => "application/x-xz",
        ".amr"         => "audio/amr",
        # 285
        ".awb"         => "audio/amr-wb",
        ".axa"         => "audio/annodex",
        ".au"          => "audio/basic",
        ".snd"         => "audio/basic",
        ".csd"         => "audio/csound",
        # 290
        ".orc"         => "audio/csound",
        ".sco"         => "audio/csound",
        ".flac"        => "audio/flac",
        ".kar"         => "audio/midi",
        ".mid"         => "audio/midi",
        # 295
        ".midi"        => "audio/midi",
        ".m4a"         => "audio/mpeg",
        ".mp2"         => "audio/mpeg",
        ".mp3"         => "audio/mpeg",
        ".mpega"       => "audio/mpeg",
        # 300
        ".mpga"        => "audio/mpeg",
        ".m3u"         => "audio/mpegurl",
        ".oga"         => "audio/ogg",
        ".ogg"         => "audio/ogg",
        ".opus"        => "audio/ogg",
        # 305
        ".spx"         => "audio/ogg",
        ".sid"         => "audio/prs.sid",
        ".aif"         => "audio/x-aiff",
        ".aifc"        => "audio/x-aiff",
        ".aiff"        => "audio/x-aiff",
        # 310
        ".gsm"         => "audio/x-gsm",
        ".wax"         => "audio/x-ms-wax",
        ".wma"         => "audio/x-ms-wma",
        ".ra"          => "audio/x-realaudio",
        ".ram"         => "audio/x-realaudio",
        # 315
        ".rm"          => "audio/x-realaudio",
        ".pls"         => "audio/x-scpls",
        ".sd2"         => "audio/x-sd2",
        ".wav"         => "audio/x-wav",
        ".alc"         => "chemical/x-alchemy",
        # 320
        ".cac"         => "chemical/x-cache",
        ".cache"       => "chemical/x-cache",
        ".csf"         => "chemical/x-cache-csf",
        ".cascii"      => "chemical/x-cactvs-binary",
        ".cbin"        => "chemical/x-cactvs-binary",
        # 325
        ".ctab"        => "chemical/x-cactvs-binary",
        ".cdx"         => "chemical/x-cdx",
        ".cer"         => "chemical/x-cerius",
        ".c3d"         => "chemical/x-chem3d",
        ".chm"         => "chemical/x-chemdraw",
        # 330
        ".cif"         => "chemical/x-cif",
        ".cmdf"        => "chemical/x-cmdf",
        ".cml"         => "chemical/x-cml",
        ".cpa"         => "chemical/x-compass",
        ".bsd"         => "chemical/x-crossfire",
        # 335
        ".csm"         => "chemical/x-csml",
        ".csml"        => "chemical/x-csml",
        ".ctx"         => "chemical/x-ctx",
        ".cef"         => "chemical/x-cxf",
        ".cxf"         => "chemical/x-cxf",
        # 340
        ".emb"         => "chemical/x-embl-dl-nucleotide",
        ".embl"        => "chemical/x-embl-dl-nucleotide",
        ".spc"         => "chemical/x-galactic-spc",
        ".gam"         => "chemical/x-gamess-input",
        ".gamin"       => "chemical/x-gamess-input",
        # 345
        ".inp"         => "chemical/x-gamess-input",
        ".fch"         => "chemical/x-gaussian-checkpoint",
        ".fchk"        => "chemical/x-gaussian-checkpoint",
        ".cub"         => "chemical/x-gaussian-cube",
        ".gau"         => "chemical/x-gaussian-input",
        # 350
        ".gjc"         => "chemical/x-gaussian-input",
        ".gjf"         => "chemical/x-gaussian-input",
        ".gal"         => "chemical/x-gaussian-log",
        ".gcg"         => "chemical/x-gcg8-sequence",
        ".gen"         => "chemical/x-genbank",
        # 355
        ".hin"         => "chemical/x-hin",
        ".ist"         => "chemical/x-isostar",
        ".istr"        => "chemical/x-isostar",
        ".dx"          => "chemical/x-jcamp-dx",
        ".jdx"         => "chemical/x-jcamp-dx",
        # 360
        ".kin"         => "chemical/x-kinemage",
        ".mcm"         => "chemical/x-macmolecule",
        ".mmd"         => "chemical/x-macromodel-input",
        ".mmod"        => "chemical/x-macromodel-input",
        ".mol"         => "chemical/x-mdl-molfile",
        # 365
        ".rd"          => "chemical/x-mdl-rdfile",
        ".rxn"         => "chemical/x-mdl-rxnfile",
        ".sd"          => "chemical/x-mdl-sdfile",
        ".tgf"         => "chemical/x-mdl-tgf",
        ".mcif"        => "chemical/x-mmcif",
        # 370
        ".mol2"        => "chemical/x-mol2",
        ".b"           => "chemical/x-molconn-Z",
        ".gpt"         => "chemical/x-mopac-graph",
        ".mop"         => "chemical/x-mopac-input",
        ".mopcrt"      => "chemical/x-mopac-input",
        # 375
        ".mpc"         => "chemical/x-mopac-input",
        ".zmt"         => "chemical/x-mopac-input",
        ".moo"         => "chemical/x-mopac-out",
        ".mvb"         => "chemical/x-mopac-vib",
        ".prt"         => "chemical/x-ncbi-asn1-ascii",
        # 380
        ".aso"         => "chemical/x-ncbi-asn1-binary",
        ".val"         => "chemical/x-ncbi-asn1-binary",
        ".pdb"         => "chemical/x-pdb",
        ".ros"         => "chemical/x-rosdal",
        ".sw"          => "chemical/x-swissprot",
        # 385
        ".vms"         => "chemical/x-vamas-iso14976",
        ".vmd"         => "chemical/x-vmd",
        ".xtel"        => "chemical/x-xtel",
        ".xyz"         => "chemical/x-xyz",
        ".ttc"         => "font/collection",
        # 390
        ".otf"         => "font/ttf",
        ".ttf"         => "font/ttf",
        ".woff"        => "font/woff",
        ".woff2"       => "font/woff2",
        ".gif"         => "image/gif",
        # 395
        ".ief"         => "image/ief",
        ".jp2"         => "image/jp2",
        ".jpg2"        => "image/jp2",
        ".jpe"         => "image/jpeg",
        ".jpeg"        => "image/jpeg",
        # 400
        ".jpg"         => "image/jpeg",
        ".jpm"         => "image/jpm",
        ".jpf"         => "image/jpx",
        ".jpx"         => "image/jpx",
        ".pcx"         => "image/pcx",
        # 405
        ".png"         => "image/png",
        ".svg"         => "image/svg+xml",
        ".svgz"        => "image/svg+xml",
        ".tif"         => "image/tiff",
        ".tiff"        => "image/tiff",
        # 410
        ".djv"         => "image/vnd.djvu",
        ".djvu"        => "image/vnd.djvu",
        ".ico"         => "image/vnd.microsoft.icon",
        ".wbmp"        => "image/vnd.wap.wbmp",
        ".cr2"         => "image/x-canon-cr2",
        # 415
        ".crw"         => "image/x-canon-crw",
        ".ras"         => "image/x-cmu-raster",
        ".cdr"         => "image/x-coreldraw",
        ".pat"         => "image/x-coreldrawpattern",
        ".cdt"         => "image/x-coreldrawtemplate",
        # 420
        ".erf"         => "image/x-epson-erf",
        ".art"         => "image/x-jg",
        ".jng"         => "image/x-jng",
        ".bmp"         => "image/x-ms-bmp",
        ".nef"         => "image/x-nikon-nef",
        # 425
        ".orf"         => "image/x-olympus-orf",
        ".psd"         => "image/x-photoshop",
        ".pnm"         => "image/x-portable-anymap",
        ".pbm"         => "image/x-portable-bitmap",
        ".pgm"         => "image/x-portable-graymap",
        # 430
        ".ppm"         => "image/x-portable-pixmap",
        ".rgb"         => "image/x-rgb",
        ".xbm"         => "image/x-xbitmap",
        ".xpm"         => "image/x-xpixmap",
        ".xwd"         => "image/x-xwindowdump",
        # 435
        ".eml"         => "message/rfc822",
        ".iges"        => "model/iges",
        ".igs"         => "model/iges",
        ".mesh"        => "model/mesh",
        ".msh"         => "model/mesh",
        # 440
        ".silo"        => "model/mesh",
        ".vrml"        => "model/vrml",
        ".wrl"         => "model/vrml",
        ".x3db"        => "model/x3d+binary",
        ".x3dv"        => "model/x3d+vrml",
        # 445
        ".x3d"         => "model/x3d+xml",
        ".appcache"    => "text/cache-manifest",
        ".ics"         => "text/calendar",
        ".icz"         => "text/calendar",
        ".css"         => "text/css; charset=utf-8",
        # 450
        ".csv"         => "text/csv; charset=utf-8",
        ".323"         => "text/h323",
        ".htm"         => "text/html",
        ".html"        => "text/html",
        ".shtml"       => "text/html",
        # 455
        ".uls"         => "text/iuls",
        ".markdown"    => "text/markdown; charset=utf-8",
        ".md"          => "text/markdown; charset=utf-8",
        ".mml"         => "text/mathml",
        ".asc"         => "text/plain; charset=utf-8",
        # 460
        ".brf"         => "text/plain; charset=utf-8",
        ".conf"        => "text/plain; charset=utf-8",
        ".log"         => "text/plain; charset=utf-8",
        ".pot"         => "text/plain; charset=utf-8",
        ".spec"        => "text/plain; charset=utf-8",
        # 465
        ".srt"         => "text/plain; charset=utf-8",
        ".text"        => "text/plain; charset=utf-8",
        ".txt"         => "text/plain; charset=utf-8",
        ".rtx"         => "text/richtext",
        ".sct"         => "text/scriptlet",
        # 470
        ".wsc"         => "text/scriptlet",
        ".tsv"         => "text/tab-separated-values",
        ".tm"          => "text/texmacs",
        ".ttl"         => "text/turtle",
        ".vcard"       => "text/vcard",
        # 475
        ".vcf"         => "text/vcard",
        ".jad"         => "text/vnd.sun.j2me.app-descriptor",
        ".wml"         => "text/vnd.wap.wml",
        ".wmls"        => "text/vnd.wap.wmlscript",
        ".bib"         => "text/x-bibtex; charset=utf-8",
        # 480
        ".boo"         => "text/x-boo; charset=utf-8",
        ".h++"         => "text/x-c++hdr; charset=utf-8",
        ".hh"          => "text/x-c++hdr; charset=utf-8",
        ".hpp"         => "text/x-c++hdr; charset=utf-8",
        ".hxx"         => "text/x-c++hdr; charset=utf-8",
        # 485
        ".c++"         => "text/x-c++src; charset=utf-8",
        ".cc"          => "text/x-c++src; charset=utf-8",
        ".cpp"         => "text/x-c++src; charset=utf-8",
        ".cxx"         => "text/x-c++src; charset=utf-8",
        ".h"           => "text/x-chdr; charset=utf-8",
        # 490
        ".htc"         => "text/x-component",
        ".csh"         => "text/x-csh; charset=utf-8",
        ".c"           => "text/x-csrc; charset=utf-8",
        ".diff"        => "text/x-diff; charset=utf-8",
        ".patch"       => "text/x-diff; charset=utf-8",
        # 495
        ".d"           => "text/x-dsrc; charset=utf-8",
        ".hs"          => "text/x-haskell; charset=utf-8",
        ".java"        => "text/x-java; charset=utf-8",
        ".ly"          => "text/x-lilypond; charset=utf-8",
        ".lhs"         => "text/x-literate-haskell; charset=utf-8",
        # 500
        ".moc"         => "text/x-moc; charset=utf-8",
        ".p"           => "text/x-pascal; charset=utf-8",
        ".pas"         => "text/x-pascal; charset=utf-8",
        ".gcd"         => "text/x-pcs-gcd",
        ".pl"          => "text/x-perl; charset=utf-8",
        # 505
        ".pm"          => "text/x-perl; charset=utf-8",
        ".py"          => "text/x-python; charset=utf-8",
        ".scala"       => "text/x-scala; charset=utf-8",
        ".etx"         => "text/x-setext",
        ".sfv"         => "text/x-sfv",
        # 510
        ".sh"          => "text/x-sh; charset=utf-8",
        ".tcl"         => "text/x-tcl; charset=utf-8",
        ".tk"          => "text/x-tcl; charset=utf-8",
        ".cls"         => "text/x-tex; charset=utf-8",
        ".ltx"         => "text/x-tex; charset=utf-8",
        # 515
        ".sty"         => "text/x-tex; charset=utf-8",
        ".tex"         => "text/x-tex; charset=utf-8",
        ".vcs"         => "text/x-vcalendar",
        ".3gp"         => "video/3gpp",
        ".ts"          => "video/MP2T",
        # 520
        ".axv"         => "video/annodex",
        ".dl"          => "video/dl",
        ".dif"         => "video/dv",
        ".dv"          => "video/dv",
        ".fli"         => "video/fli",
        # 525
        ".gl"          => "video/gl",
        ".mp4"         => "video/mp4",
        ".mpe"         => "video/mpeg",
        ".mpeg"        => "video/mpeg",
        ".mpg"         => "video/mpeg",
        # 530
        ".ogv"         => "video/ogg",
        ".mov"         => "video/quicktime",
        ".qt"          => "video/quicktime",
        ".webm"        => "video/webm",
        ".mxu"         => "video/vnd.mpegurl",
        # 535
        ".flv"         => "video/x-flv",
        ".lsf"         => "video/x-la-asf",
        ".lsx"         => "video/x-la-asf",
        ".mkv"         => "video/x-matroska",
        ".mpv"         => "video/x-matroska",
        # 540
        ".mng"         => "video/x-mng",
        ".asf"         => "video/x-ms-asf",
        ".asx"         => "video/x-ms-asf",
        ".wm"          => "video/x-ms-wm",
        ".wmv"         => "video/x-ms-wmv",
        # 545
        ".wmx"         => "video/x-ms-wmx",
        ".wvx"         => "video/x-ms-wvx",
        ".avi"         => "video/x-msvideo",
        ".movie"       => "video/x-sgi-movie",
        ".ice"         => "x-conference/x-cooltalk",
        # 550
        ".sisx"        => "x-epoc/x-sisx-app",
        ".vrm"         => "x-world/x-vrml",
        "README"       => "text/plain; charset=utf-8",
        "Makefile"     => "text/x-makefile; charset=utf-8",
        ""             => "application/octet-stream",
        # 555
    )
    server.document-root           = "/var/www"
    server.upload-dirs             = ("/var/cache/lighttpd/uploads")
    server.errorlog                = "/var/log/lighttpd/error.log"
    server.pid-file                = "/var/run/lighttpd.pid"
    server.username                = "www-data"
    server.groupname               = "www-data"
    server.port                    = 80
    server.http-parseopts          = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize-unreserved" => "enable",
        "url-normalize-required"   => "enable",
        # 5
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
        "url-path-dotseg-remove"   => "enable",
        # 8
    )
    index-file.names               = ("index.php", "index.html", "index.lighttpd.html")
    url.access-deny                = ("~", ".inc")
    static-file.exclude-extensions = (".php", ".pl", ".fcgi")
    compress.cache-dir             = "/var/cache/lighttpd/compress/"
    compress.filetype              = ("application/javascript", "text/css", "text/html", "text/plain")
    url.redirect                   = (
        "^/.well-known/caldav"  => "/nextcloud/remote.php/dav",
        "^/.well-known/carddav" => "/nextcloud/remote.php/dav",
        "^/ocm-provider"        => "/nextcloud/ocm-provider",
        "^/ocs-provider"        => "/nextcloud/ocs-provider",
        # 4
    )
    fastcgi.server                 = (
        ".php" => (
            (
                "socket"                => "/run/php/php7.3-fpm.sock",
                "broken-scriptfilename" => "enable",
                # 2
            ),
        ),
    )
    server.modules                 = (
        "mod_indexfile",
        "mod_setenv",
        "mod_access",
        "mod_alias",
        "mod_redirect",
        "mod_fastcgi",
        "mod_rewrite",
        "mod_compress",
        "mod_dirlisting",
        "mod_staticfile",
        # 10
    )


    $SERVER["socket"] == "[::]:80" {
        # block 1

    } # end of $SERVER["socket"] == "[::]:80"

    $HTTP["url"] =~ "^/nextcloud($|/)" {
        # block 2
        dir-listing.activate = "disable"


        $HTTP["url"] =~ "^/nextcloud/(build|tests|config|lib|3rdparty|templates|data)($|/)" {
            # block 3
            url.access-deny = ("")

        } # end of $HTTP["url"] =~ "^/nextcloud/(build|tests|config|lib|3rdparty|templates|data)($|/)"

        $HTTP["url"] =~ "^/nextcloud/(\.|autotest|occ|issue|indie|db_|console)" {
            # block 4
            url.access-deny = ("")

        } # end of $HTTP["url"] =~ "^/nextcloud/(\.|autotest|occ|issue|indie|db_|console)"

        $HTTP["url"] =~ "^/nextcloud/.+[^/]\.(css|js|woff2?|svg|gif|map)$" {
            # block 5
            setenv.add-response-header = (
                "Cache-Control"                     => "public, max-age=15778463",
                "Referrer-Policy"                   => "no-referrer",
                "X-Content-Type-Options"            => "nosniff",
                "X-Download-Options"                => "noopen",
                "X-Frame-Options"                   => "SAMEORIGIN",
                # 5
                "X-Permitted-Cross-Domain-Policies" => "none",
                "X-Robots-Tag"                      => "none",
                "X-XSS-Protection"                  => "1; mode=block",
                # 8
            )

        } # end of $HTTP["url"] =~ "^/nextcloud/.+[^/]\.(css|js|woff2?|svg|gif|map)$"
    } # end of $HTTP["url"] =~ "^/nextcloud($|/)"
}

Mostly Debian package defaults, the custom /nextcloud part is at the bottom.
PHP is as well default php7.3-fpm + APCu memory caching + Redis-based file locking. I can provide more details if required, just not sure what might play a role here 😉

[UweDoe]

I have modified the source to get some additional logging:
public function getDecryptedValue(): string {
$token = explode(':', $this->value);
if (\count($token) !== 2) {
return '';
}
$obfuscatedToken = $token[0];
$secret = $token[1];
\OC::$server->getLogger()->info('obfuscatedToken: '. $obfuscatedToken .', secret: '. $secret);
$tmpReturn = base64_decode($obfuscatedToken) ^ base64_decode($secret);
\OC::$server->getLogger()->info('getDecryptedValue: '. $tmpReturn );
return base64_decode($obfuscatedToken) ^ base64_decode($secret);
}
}

With this I did the ususal test:

1. login as admin
2. goto user / protocol and see the logging
3. logout

this time successfull

4. login as admin
5. goto user / protocol and see the logging
6. logout (unsuccessfull)
7. push browsers back button
8. logout (unsuccessfull)
   ...
   until successfull logout

Traces are attached. For details see the readme.
logs+traces.zip

[MichaIng]

Problem is not yet solved, additional logs and stack trace provided above. Issue, although Lighttpd not officially supported, is security-relevant, e.g. on public clients:

• User logs out, receives error but might not recheck/ignore
• Next user can access same Nextcloud session without login