Session handling: api and webdav requests with basic auth or oauth2 tokens shall not start a session #29779

DeepDiver1975 · 2017-12-07T07:51:46Z

Reasoning:

sessions are only usefull in web ui
webdav by itself does not specify the use of sessions - only basic auth
plain dav requests (e.g. caldav and carddav) are stateless and have no sessions - thousands of new sessions are generated - totally pointless Faulty session handling (creating massive amount of sessions when webdav-interface is in use) - workaround #5383

What to do:

sessions are only started when an explicit login via the webui is initiated
information currently being stored in the session needs to be store in a different location
analyse the information which is stored in the session and review the storage location
ISession and IUserSession are part of the public api - we need to continue to support this

PVince81 · 2017-12-07T07:57:53Z

What about web UI?

ownclouders · 2017-12-07T07:59:43Z

GitMate.io thinks the contributor most likely able to help you is @PVince81.

DeepDiver1975 · 2017-12-07T07:59:59Z

sessions are only started when an explicit login via the webui is initiated

PVince81 · 2018-04-03T10:01:40Z

moving to planned

PVince81 · 2018-07-24T12:28:20Z

backlog

DeepDiver1975 · 2020-03-10T15:12:09Z

We will not touch these parts anymore -> close

DeepDiver1975 added the Type:Bug label Dec 7, 2017

DeepDiver1975 added this to the planned milestone Dec 7, 2017

DeepDiver1975 self-assigned this Dec 7, 2017

ownclouders added comp:authentication enhancement labels Dec 7, 2017

martinlanger90 mentioned this issue Dec 26, 2017

Session handling: api and webdav requests shall not start a session nextcloud/server#7628

Closed

ownclouders added the status/STALE label Jan 7, 2018

SamuAlfageme mentioned this issue Jan 25, 2018

[10.0.4] Sessions created from application passwords result in "Login failed" errors when used #30157

Closed

ownclouders removed the status/STALE label Apr 3, 2018

PVince81 modified the milestones: development, planned Apr 3, 2018

felixboehm removed the enhancement label Apr 19, 2018

ownclouders mentioned this issue Apr 19, 2018

Oauth2 token request behaves incorrectly with invalid token #31211

Open

ownclouders added the status/STALE label May 23, 2018

PVince81 modified the milestones: development, backlog Jul 24, 2018

ownclouders removed the status/STALE label Jul 24, 2018

DeepDiver1975 closed this as completed Mar 10, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Session handling: api and webdav requests with basic auth or oauth2 tokens shall not start a session #29779

Session handling: api and webdav requests with basic auth or oauth2 tokens shall not start a session #29779

DeepDiver1975 commented Dec 7, 2017

PVince81 commented Dec 7, 2017

ownclouders commented Dec 7, 2017

DeepDiver1975 commented Dec 7, 2017

PVince81 commented Apr 3, 2018

PVince81 commented Jul 24, 2018

DeepDiver1975 commented Mar 10, 2020

Session handling: api and webdav requests with basic auth or oauth2 tokens shall not start a session #29779

Session handling: api and webdav requests with basic auth or oauth2 tokens shall not start a session #29779

Comments

DeepDiver1975 commented Dec 7, 2017

PVince81 commented Dec 7, 2017

ownclouders commented Dec 7, 2017

DeepDiver1975 commented Dec 7, 2017

PVince81 commented Apr 3, 2018

PVince81 commented Jul 24, 2018

DeepDiver1975 commented Mar 10, 2020