Modify Session Time OwnCloud (for security)

Apps & App Center
#1

Hi guys,

My first post here. Thanks so much for this cool server and the owncloud app. So I’ve been studying for my CISSP security certificate and it was brought to my attention that session length time can be a security vulnerability. I’m running UCS: 4.4-4 errata602 with Installed: letsencrypt=1.2.2-8 4.3/collabora=4.2.2.1 4.3/owncloud=10.3.2-1.

I’ve found out the settings I wish to change on my owncloud instance through modifying the owncloud.php they are as follows:

‘remember_login_cookie_lifetime’ => 606024*1,

#Lifetime of the remember login cookie, which is set when the user clicks the remember checkbox on #the login screen. The default is 15 days, expressed in seconds.

‘session_lifetime’ => 60 * 60 * 1,

#The lifetime of a session after inactivity; the default is 24 hours, expressed in seconds.

‘session_keepalive’ => false,

So I’ve found a couple of .php files in the /var/lib/univention-appcenter/apps/owncloud/conf directory.

And of course I’ve read this :

*ownCloud uses the config/config.php file to control server operations. config/config.sample.php lists all the configurable parameters within ownCloud, along with example or default values. This document provides a more detailed reference. Most options are configurable on your Admin page, so it is usually not necessary to edit config/config.php .
*

The installer creates a configuration containing the essential parameters. Only manually add configuration parameters to config/config.php if you need to use a special value for a parameter. Do not copy everything from config/config.sample.php . Only enter the parameters you wish to modify!

ownCloud supports loading configuration parameters from multiple files. You can add arbitrary files ending with .config.php in the config/ directory, for example you could place your email server configuration in email.config.php . This allows you to easily create and manage custom configurations, or to divide a large complex configuration file into a set of smaller files. These custom files are not overwritten by ownCloud, and the values in these files take precedence over config.php .

[floatl]

So I’ve tried adding my three lines of code in the config.php but they break the webinterface completely with a cannot modify header error. From inside the overwrite.config.php I see these lines:

if (getenv(‘OWNCLOUD_REMEMBER_LOGIN_COOKIE_LIFETIME’) != ‘’) {

$config[‘remember_login_cookie_lifetime’] = (int) getenv(‘OWNCLOUD_REMEMBER_LOGIN_COOKIE_LIFETIME’);

}
if (getenv(‘OWNCLOUD_SESSION_LIFETIME’) != ‘’) {

$config[‘session_lifetime’] = (int) getenv(‘OWNCLOUD_SESSION_LIFETIME’);

}
if (getenv(‘OWNCLOUD_SESSION_KEEPALIVE’) != ‘’) {

$config[‘session_keepalive’] = getenv(‘OWNCLOUD_SESSION_KEEPALIVE’) == ‘true’;

}

[floatl]
So how do I modify these settings to auto logout of owncloud after the first hour, no matter if the browser is still open or not? Ideally I’d like these setting to persist across a reboot, but I would at the least like to get the session to timeout after an hour. I want my server to be very secure. Thank you for helping me.
#2

I found his thread in Owncloud-forum:


So a auto logout only seem to work after the browser(tab) has been closed.

To become kicked out after a time of inactivity is an unwanted bahavior.

#3

Well, it may be unwanted for some. But I want to be kicked out after an hour. I use owncloud to transfer sensitive data to remote users. I teamviewer into their machine, download files, then exit. If I accidently forget to close the browser that remote user will have access to everything on the owncloud server, including sensitive data for other users.

So I actually do very much want to be kicked out after an hour of use, if the browser is open or not. And from my understanding their are three variable settings that can provide this functionality.

/**

  • Lifetime of the remember login cookie. This should be larger than the
  • session_lifetime. If it is set to 0 remember me is disabled.
  • Defaults to 60*60*24*15 seconds (15 days)
    /
    ‘remember_login_cookie_lifetime’ => 60    602415,

/**

  • The lifetime of a session after inactivity.
  • Defaults to 60*60*24 seconds (24 hours)
    */
    ‘session_lifetime’ => 60 * 60 * 24,

/**

  • Enable or disable session keep-alive when a user is logged in to the Web UI.
  • Enabling this sends a “heartbeat” to the server to keep it from timing out.
  • Defaults to true
    */
    ‘session_keepalive’ => true,
#4

If I understand the Owncloud admin manual (page 275 ff.) right, you will need to reduce the value of

‘remember_login_cookie_lifetime’ => 60*60*24*15,

to one hour

‘remember_login_cookie_lifetime’ => 60*60,

In your start posting your cookie lifetime has a too big value:

‘remember_login_cookie_lifetime’ => 60*60* 24*1,

= 24 hrs.
The changes must be done in config/config.php

#5

I was able to add the variable in the config.php file, but they don’t seem to work.

#6

Did you close the browser-tab and call owncloud again after the calculated cookie-timeout?

#7

If I close out of the browser then yes, the session will expire, but I’m not sure the values I input above have anything to do with the timeout value with the browser closed. Since, even before I updated those values, the session would logout if the browser was closed. Most likely taking

I downloaded nextcloud as a test, without univention, and I setup the varibales like mentioned above, it seems to work. So what happens in nextcloud is i’ll be logged in, then after 1 hour, when I click on another folder, it says “retrying” and then boots me out to the login page. So with nextcloud and I’m assuming owncloud, these variable should work to force the session to expire, even with the browser open.

#8

You are right. But it seems, that Owncloud and Nextcloud have different behaviors keeping a session alive. Nextcloud is more restrictive, but Owncloud only kicks off the session after closing the browser(-tab) or disconnect network connection as described in Owncloud documentation/forums.

Mastodon