From e378f7faca178e9dcee373da887fa4d7bf830104 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 20 Apr 2026 10:24:39 +0000 Subject: [PATCH] aio-interface: preserve login session across container restarts after cookie name change The session cookie was recently renamed from `PHPSESSID` to `__Host-Http-PHPSESSID` (commit 3871179a). When watchtower updates the mastercontainer, the browser still holds the old `PHPSESSID` cookie, but the new code only looks for `__Host-Http-PHPSESSID`. The old cookie is ignored, a fresh unauthenticated session is created, and the user is logged out. Fix: before starting the new session in index.php, check if the old `PHPSESSID` cookie exists and carries an authenticated session. If it does, destroy the old session and mark the new one as authenticated via `SetAuthState(true)`. Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/cba0ea31-e257-4ec1-82ae-dd66f0f34d98 --- refactor: address review comments - use constant for session key and activity interval Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/cba0ea31-e257-4ec1-82ae-dd66f0f34d98 Co-Authored-By: szaimen <42591237+szaimen@users.noreply.github.com> --- php/public/index.php | 18 ++++++++++++++++++ php/src/Auth/AuthManager.php | 2 +- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/php/public/index.php b/php/public/index.php index b113d6b0..d6b3d33b 100644 --- a/php/public/index.php +++ b/php/public/index.php @@ -37,6 +37,20 @@ $container->set(Guard::class, function () use ($responseFactory) { }); // Register Middleware To Be Executed On All Routes + +// Migrate from the old PHPSESSID cookie to the new __Host-Http-PHPSESSID cookie. +// This is needed because the session cookie was renamed in a previous release. Without this, +// users that were logged in before the update would be logged out after the container restarts. +$wasAuthenticated = false; +if (!isset($_COOKIE['__Host-Http-PHPSESSID']) && isset($_COOKIE['PHPSESSID'])) { + session_name('PHPSESSID'); + if (session_start(['save_path' => $dataConst->GetSessionDirectory(), 'use_strict_mode' => true])) { + $wasAuthenticated = isset($_SESSION[\AIO\Auth\AuthManager::SESSION_KEY]) && $_SESSION[\AIO\Auth\AuthManager::SESSION_KEY] === true; + session_unset(); + session_destroy(); + } +} + session_start([ "name" => "__Host-Http-PHPSESSID", // Set cookie prefix to prevent other pages from overwriting this cookie. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#cookie_prefixes "save_path" => $dataConst->GetSessionDirectory(), // Where to save the session files @@ -49,6 +63,10 @@ session_start([ "cookie_httponly" => true, // Block the cookie from being read with js in the browser, will still be send for fetch request triggered by js. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly "cookie_samesite" => "Strict", // Only send the cookie with requests triggered by AIO itself. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value ]); + +if ($wasAuthenticated) { + $container->get(\AIO\Auth\AuthManager::class)->SetAuthState(true); +} $app->add(Guard::class); // Create Twig diff --git a/php/src/Auth/AuthManager.php b/php/src/Auth/AuthManager.php index e2ff98dc..851b5ff6 100644 --- a/php/src/Auth/AuthManager.php +++ b/php/src/Auth/AuthManager.php @@ -8,7 +8,7 @@ use AIO\Data\DataConst; use \DateTime; readonly class AuthManager { - private const string SESSION_KEY = 'aio_authenticated'; + public const string SESSION_KEY = 'aio_authenticated'; public function __construct( private ConfigurationManager $configurationManager