daenamnu/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2026-05-21 10:50:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

aio-interface: preserve login session across container restarts after cookie name change

Browse Source 
The session cookie was recently renamed from `PHPSESSID` to
   `__Host-Http-PHPSESSID` (commit 3871179a). When watchtower updates the
   mastercontainer, the browser still holds the old `PHPSESSID` cookie, but the
   new code only looks for `__Host-Http-PHPSESSID`. The old cookie is ignored, a
   fresh unauthenticated session is created, and the user is logged out.

   Fix: before starting the new session in index.php, check if the old `PHPSESSID`
   cookie exists and carries an authenticated session. If it does, destroy the old
   session and mark the new one as authenticated via `SetAuthState(true)`.

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/cba0ea31-e257-4ec1-82ae-dd66f0f34d98

---

refactor: address review comments - use constant for session key and activity interval

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/cba0ea31-e257-4ec1-82ae-dd66f0f34d98
Co-Authored-By: szaimen <42591237+szaimen@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-04-20 10:24:39 +00:00
committed by Simon L.
parent 91e9e58c39
commit e378f7faca
2 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
php/public/index.php
View File

@@ -37,6 +37,20 @@ $container->set(Guard::class, function () use ($responseFactory) {
});
// Register Middleware To Be Executed On All Routes
// Migrate from the old PHPSESSID cookie to the new __Host-Http-PHPSESSID cookie.
// This is needed because the session cookie was renamed in a previous release. Without this,
// users that were logged in before the update would be logged out after the container restarts.
$wasAuthenticated = false;
if (!isset($_COOKIE['__Host-Http-PHPSESSID']) && isset($_COOKIE['PHPSESSID'])) {
session_name('PHPSESSID');
if (session_start(['save_path' => $dataConst->GetSessionDirectory(), 'use_strict_mode' => true])) {
$wasAuthenticated = isset($_SESSION[\AIO\Auth\AuthManager::SESSION_KEY]) && $_SESSION[\AIO\Auth\AuthManager::SESSION_KEY] === true;
session_unset();
session_destroy();
}
}
session_start([
"name" => "__Host-Http-PHPSESSID", // Set cookie prefix to prevent other pages from overwriting this cookie. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#cookie_prefixes
"save_path" => $dataConst->GetSessionDirectory(), // Where to save the session files
@@ -49,6 +63,10 @@ session_start([
"cookie_httponly" => true, // Block the cookie from being read with js in the browser, will still be send for fetch request triggered by js. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly
"cookie_samesite" => "Strict", // Only send the cookie with requests triggered by AIO itself. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
]);
if ($wasAuthenticated) {
$container->get(\AIO\Auth\AuthManager::class)->SetAuthState(true);
}
$app->add(Guard::class);
// Create Twig