Logging out from Nextcloud deletes all cookies from sibling subdomains

[bszente]

Scenario

Nextcloud 13.0.1 installed on cloud.example.com subdomain with HTTPS
Roundcube 1.3.4 installed on mail.example.com subdomain with HTTPS

So both have their individual subdomain under our own domain (replaced with example.com here in bug report).

Steps to reproduce

1. Open Chromium/Chrome (tested with 63+)
2. Log in to Roundcube (or any web page that uses session cookies, e.g. Redmine)
3. In a new tab log in to Nextcloud
4. Log out from Nextcloud

Expected behaviour

Nextcloud will be logged out. Roundcube will still be logged in and usable.

Actual behaviour

Nextcloud will be logged out. Roundcube session will be expired and user logged out. This is the actual issue.

More info

1. It happens with Chrome/Chromium only, Firefox works as expected.
2. What happens exactly: logging out from Nextcloud deletes all cookies from sibling subdomains resulting in end of session for the other web applications.

Server configuration

Operating system: CentOS 7 (Virtualmin is used)

Web server: Stock Apache

Database: Stock MySQL

PHP version: Stock version

Nextcloud version: 13.0.1

Updated from an older Nextcloud/ownCloud or fresh install: updated from latest 12.0.x

Signing status:

Signing status

No errors have been found.

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: IMAP

Client configuration

Browser: Chromium 64, Chrome 65

Operating system: Linux, Windows

Logs

Browser log

Browser log when logging out (domain replaced with example.com)

cloud.example.com/:1 Clear-Site-Data header on 'https://cloud.example.com/logout?requesttoken=k9K/ULgi8Ht9z4vTCYyHLAFCRS3wWjWXSLvvkR0dipk%3D%3Aq6vSGtkQtDwUmv%2BjO%2BPFTVRydkqiIGDgZ%2B625CxFwq0%3D': The "cache" datatype is temporarily not supported.
cloud.example.com/:1 Clear-Site-Data header on 'https://cloud.example.com/logout?requesttoken=k9K/ULgi8Ht9z4vTCYyHLAFCRS3wWjWXSLvvkR0dipk%3D%3Aq6vSGtkQtDwUmv%2BjO%2BPFTVRydkqiIGDgZ%2B625CxFwq0%3D': Unrecognized type: "executionContexts".
cloud.example.com/:1 Clear-Site-Data header on 'https://cloud.example.com/logout?requesttoken=k9K/ULgi8Ht9z4vTCYyHLAFCRS3wWjWXSLvvkR0dipk%3D%3Aq6vSGtkQtDwUmv%2BjO%2BPFTVRydkqiIGDgZ%2B625CxFwq0%3D': Cleared data types: "cookies", "storage".
Navigated to https://cloud.example.com/login
core.js?v=cc8677c4-25:7 JQMIGRATE: Migrate is installed, version 1.4.0
DevTools failed to parse SourceMap: https://cloud.example.com/core/vendor/purify.min.js.map

[tflidd]

There has been a roundcube app for owncloud/Nextcloud, not sure if it still exists, but in case you have such a plugin which could make use of the webmail cookies, that would be important to know.

How do you know that it is not a browser bug?

[bszente]

No, there is no Roundcube app installed. We have only some of the official Nextcloud Apps (Calendar, Notes, etc., so no special, custom or unsupported addons). Our Roundcube is a completely independent instance.

Whether it is a browser bug or not, I don't know, hence this bug report.

However there are some facts:

1. We have also a Redmine instance, on redmine.example.com sibling subdomain. Cookies are cleared on this domain as well. Redmine is not even PHP, but Ruby. So it seems all subdomains got cookies cleared in the moment of the Nextcloud logout.
2. Logging out from Roundcube and Redmine works as expected, does not influence sibling subdomains.
3. It is only Nextcloud's logout, which clears sibling subdomains' cookies.
4. Nextcloud uses Clear-Site-Data at logout, while Roundcube/Redmine does not.

Could it be possible, that Nextcloud's Clear-Site-Data implementation in context of Chromium/Chrome browser does not work as expected?

Thank you.

[tflidd]

@LukasReschke

[rcdevs]

Hi,
I also need to create a Cookie in my app, but every time user logout, all cookies are deleted, due to Clear-Site-Data implementation (https://www.w3.org/TR/clear-site-data/#grammardef-cookies). How to make persistant cookie? Thank you!

[bszente]

@rcdevs, I believe your question is not related to my issue. My bug report is about Nextcloud deleting other, unrelated web page cookies that reside on different subdomains of the same main domain. And it happens only in Chrome/Chromium.

[rcdevs]

Yes you're right, it should not delete subdomain's cookies... For now, waiting for a good answer, the only way to avoid this behavior is to comments //$response->addHeader('Clear-Site-Data', '"cache", "cookies", "storage", "executionContexts"'); or delete ["cookies",] on line 123 in public function logout() in file core/Controller/LoginController.php

[danb35]

Can confirm this also happens when not using subdomains. If Nextcloud is at domain.com/nextcloud, and horde is at domain.com/horde, logging out of Nextcloud results in being logged out of horde as well. This happens when using Chrome, but not Firefox.

[WolfgangWeber]

I can confirm this issue still exists on Nextcloud 13.0.4. Logging out from Nextcloud on subdomain cloud.example.com, deletes the cookies from other subdomains (mail.example.com, rss.example.com, blog.example.com), too...

[arno1979]

Yeah, I can confirm this one too.

[Ninjiner]

Has somebody tested it with 14.0.0?

[bszente]

Has somebody tested it with 14.0.0?

The logout() function in core/Controller/LoginController.php is the same, so most likely the issue is still present. I did not test it though.