Skip to content

Fix cookie login token mismatch error #33769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ChristophWurst wants to merge 2 commits into from
Closed

Fix cookie login token mismatch error #33769

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9c9ca4c
Log if cookie login failed due to a token mismatch
ChristophWurst Aug 31, 2022
edea925
Log out cookie sessions without a valid token
ChristophWurst Aug 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions lib/private/User/Session.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -865,6 +865,15 @@ public function loginWithCookie($uid, $currentToken, $oldSessionId) {
$tokens = $this->config->getUserKeys($uid, 'login_token');
// test cookies token against stored tokens
if (!in_array($currentToken, $tokens, true)) {
$this->logger->error('Tried to log in {uid} but could not verify token', [
'uid' => $uid,
]);
// The user is possibly logged in, but the token can't be verified. As
// a safety measure we end the session and log the user out
// TODO: what if two requests go through this method concurrently, wouldn't
// one of them win and make the other one appear invalid do to the
// same token that no longer exists in the database?
$this->logout();
return false;
}
// replace successfully used token with a new one
Expand Down