session does not expire

[chaos-prevails]

Steps to reproduce

1. install and configure NC11.0.1.2 (latest). To test this, I started afresh without any addons or other configuration
2. add
   'remember_login_cookie_lifetime' => 0,
   'session_lifetime' => 60,
   'session_keepalive' => false,
   to config.php
3. login, browse a bit, switch to another tab to prevent mouse movements trigger any JS action in the NC tab, wait for longer than 60 seconds (60 seconds is only there for testing, 600 seconds is the desired session lifetime)

Expected behaviour

the user should have been logged out (e.g. refresh redirects to login page).

Actual behaviour

user is not logged out. User can continue viewing, moving and deleting files.

However, sometimes I'm logged out! First I thought it worked when not staying in the "File-Explorer" (standard) view. But also in other views (e.g. admin), I'm not logged out. Neither with Firefox nor with Chromium.
The apache access logs shows activity sometimes when I wait that the session expires. But not always.

When setting the session lifetime to 10 seconds, I cannot log in (so it seems that some parts of session handling work?)

Server configuration

Operating system:
Ubuntu 16.04.1 LTS Server 64bit
Web server:
apache 2.4.18-2ubuntu3.1
Database:
mariadb 10.0.28-0ubuntu0.16.04.1
PHP version:
7.0.13-0ubuntu0.16.04.1

Nextcloud version: (see Nextcloud admin page)
11.0.1
Updated from an older Nextcloud/ownCloud or fresh install:
fresh
Where did you install Nextcloud from:
download nextcloud com
Signing status:
No errors have been found.
List of activated apps:
Enabled:

• activity: 2.4.1
• comments: 1.1.0
• dav: 1.1.1
• federatedfilesharing: 1.1.1
• federation: 1.1.1
• files: 1.6.1
• files_pdfviewer: 1.0.1
• files_sharing: 1.1.1
• files_texteditor: 2.2
• files_trashbin: 1.1.0
• files_versions: 1.4.0
• files_videoplayer: 1.0.0
• firstrunwizard: 2.0
• gallery: 16.0.0
• logreader: 2.0.0
• lookup_server_connector: 1.0.0
• nextcloud_announcements: 1.0
• notifications: 1.0.1
• password_policy: 1.1.0
• provisioning_api: 1.1.0
• serverinfo: 1.1.1
• sharebymail: 1.0.1
• survey_client: 0.1.5
• systemtags: 1.1.3
• theming: 1.1.1
• twofactor_backupcodes: 1.0.0
• updatenotification: 1.1.1
• workflowengine: 1.1.1
  Disabled:
• admin_audit
• encryption
• external
• files_accesscontrol
• files_automatedtagging
• files_external
• files_retention
• templateeditor
• user_external
• user_ldap
• user_saml

The content of config/config.php:
$CONFIG = array (
'instanceid' => 'X',
'passwordsalt' => 'XC',
'secret' => 'X',
'trusted_domains' =>
array (
0 => 'nc.tesla',
),
'datadirectory' => '/var/www/nextcloud/data',
'overwrite.cli.url' => 'https://nc.tesla',
'dbtype' => 'mysql',
'version' => '11.0.1.2',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextcloud',
'dbpassword' => 'XX',
'logtimezone' => 'UTC',
'installed' => true,
'remember_login_cookie_lifetime' => 0,
'session_lifetime' => 60,
'session_keepalive' => false,
);

Are you using external storage, if yes which one: local/smb/sftp/...
no
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
no

Client configuration

Browser:
Firefox 50.1.0
Chromium Version 53.0.2785.143 Built on Ubuntu , running on Ubuntu 14.04 (64-bit)
Operating system:
Ubuntu 14.04 64bit

Logs

Web server error log

:12:52:05 +0100] "PROPFIND /remote.php/webdav HTTP/1.1" 207 1611 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0"
10.11.1.30 - - [16/Jan/2017:12:52:05 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0"
10.11.1.30 - - [16/Jan/2017:12:52:05 +0100] "GET /index.php/settings/ajax/checksetup HTTP/1.1" 200 1607 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0"
10.11.1.30 - - [16/Jan/2017:12:52:18 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:52:48 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:53:18 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:53:48 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:53:48 +0100] "GET /index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.1" 200 1155 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:54:18 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:54:48 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:55:19 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:55:49 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:56:19 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:56:49 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 5072 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:57:19 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:57:49 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:58:19 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:58:49 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:59:19 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:12:59:49 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:13:00:19 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:13:00:49 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:13:01:19 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:13:01:49 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 2118 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:13:02:14 +0100] "GET /index.php/apps/systemtags/lastused HTTP/1.1" 200 4044 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:13:02:14 +0100] "GET /index.php/apps/files/api/v1/recent HTTP/1.1" 200 2351 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36"
10.11.1.30 - - [16/Jan/2017:13:02:14 +0100] "GET /index.php/apps/theming/img/core/fi

Nextcloud log (data/nextcloud.log)

empty

Browser log

[ChristophWurst]

AFAIK we do not expire the session as long as there is an active browser session. If you close the tab it should expire though.
From the logs it looks like polling for notifications keeps the session alive.

[chaos-prevails]

I thought about the notification keep-alive too.

If an active browser session (unfocused browser tab/window) is not expired, what is the difference between session_lifetime and remember_login_cookie_lifetime (if the login checkbox to stay logged in is unchecked).

And is the parameter session_keepalive still used?

[ChristophWurst]

And is the parameter session_keepalive still used?

Looks like it is: https://github.com/nextcloud/server/search?utf8=%E2%9C%93&q=session_keepalive

Could you please check whether any requests are sent to the server while that tab is opened in the background? E.g. clear the network log, switch tabs and come back after x minutes.

[GitHubUser4234]

I have the same problem. And it is really critical for us as we need on the one hand sessions to expire after the configured timeout and on the other hand notifications enabled.

@ChristophWurst : I have verified that requests are still sent to the server when the tab is in the background. However one cannot rely on the browser's network log as e.g. Firebug doesn't show anything here when the tab was in the background. However setting up a NC testing server for this purpose and monitoring the server log confirms this.

When setting the session timeout to 20 seconds, the session expires correctly as notifications are sent every 30 seconds. Timeout values greater than 30 will therefore obviously not work.

It would be great if there was a workaround for this issue, thanks!

[GitHubUser4234]

A discussion with @nickvergessen in IRC can be summarized like this:

• For the Notification app, there is currently only one quick workaround: increase the polling interval of at https://github.com/nextcloud/notifications/blob/master/js/app.js#L20
  Obviously this kills the notification feature quite a bit and is probably not acceptable in all use cases.

• The files app polls the server every 5 mins to retrieve storage statistics, to increase this value is probably not acceptable in all use cases

• The video calls app also uses the polling approach to check whether someone is calling. Increasing the polling interval here would be unacceptable

• Session timeout is a very common feature that should be supported even with polling apps enabled

So an approach would be needed for the framework to distinguish between user input and app polling. Something that can for example be found in online banking where a real time stock portfolio is refreshed automatically and session timeout still works.

One approach I could think of is that all user clicks call a global ajax function (jQuery?) which updates a "last click timestamp" in a designated database table. App polling however doesn't call the function. So session timeouts can be calculated based on the "last click timestamp". But maybe there are better ideas, any comments are welcome :)

[alexisrosano89]

I'm a looking for a workarround to this too.

Timeout values greater than 30 not working!

[Githopp192]

Now .. i'm on NC Release 12.0.6, we have got the exact same behave.
No session timout with Timeout values greater than 29 secs (30 secs will not work, too).
I think NC .. to be seen as Enterprise Product .. this is a Security Feature and should be fixed.

Thanks all for your great support