core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon owncloud

Clicking an external link to a shared file logs out the current user

Open stringbean opened this issue 2 years ago • 1 comments

Steps to reproduce

  1. Create a public link for a file.
  2. Add the link to page on a different domain.
  3. Click the shared link on the external site - the shared file appears as normal.
  4. Click on the ownCloud banner - at this point the user expects to return to the file list.
  5. The user is redirected to the ownCloud login page.

Note: pasting the shared link into the URL bar will not trigger the issue - it must come from a cross-site redirect.

Expected behaviour

Viewing a shared file via a link should display the file and leave the user logged in (if already). When the user attempts to view the file list or a non-shared file they should not be forced to reauthenticate.

Actual behaviour

Viewing a shared file from an external link invalidates the currently authenticated session forcing the user to re-authenticate again.

Server configuration

ownCloud version: 10.10.0.3

Updated from an older ownCloud or fresh install: Fresh install.

Where did you install ownCloud from: Docker Compose.

Client configuration

Browser: Confirmed affects:

  • Firefox 102.0
  • Chrome 103
  • Safari 15.5

Operating system: macOS 12.4 (Monterey)

Logs

No errors seen at default logging levels.

Browser log

Taken from Firefox:

Screenshot 2022-07-06 at 11 51 13 
Cookie “oclbm24h6kt2” with the “SameSite” attribute value “Lax” or “Strict” was omitted because of a cross-site redirect. [xIhpWNReO0tEdNj](http://owncloud.capsule.run:9080/s/xIhpWNReO0tEdNj)
Cookie “oc_sessionPassphrase” with the “SameSite” attribute value “Lax” or “Strict” was omitted because of a cross-site redirect. [xIhpWNReO0tEdNj](http://owncloud.capsule.run:9080/s/xIhpWNReO0tEdNj)

Additional Info

I'm not an ownCloud user but one of the customers of the company I work for (Capsule) uses it and encountered this issue. They want to be able to add links in Capsule to files stored in ownCloud but are getting logged out as soon as they click on them - this is making it difficult to work in both system simultaneously.

From the outside it looks like the following is happening:

  1. The session cookies (oc_sessionPassphrase & ocXXXX) are stored using SameSite=Strict.
  2. The user clicks a shared link inside Capsule.
  3. The share link is opened in a new tab:
    • The browser treats this as a cross-site request as it was not initiated from insite ownCloud.
    • The session cookies are not sent as they are SameSite=Strict.
  4. ownCloud receives no session cookies in the request to automatically creates a new session with cookies.
    • These new cookies stomp the existing session cookies for the authenticated user.

stringbean avatar Jul 06 '22 11:07 stringbean

I can replicate this with our system too (although we're running OC 10.9). In fact, clicking on any link on a site with a different domain forces a new login.

This was tested with Chrome 105.0.5195.102. We run ownCloud using docker-compose, and have upgraded from 10.1 through different versions to 10.9.

drsimmo avatar Sep 14 '22 01:09 drsimmo

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Mar 13 '23 01:03 github-actions[bot]

This issue has been automatically closed.

github-actions[bot] avatar Mar 24 '23 01:03 github-actions[bot]