Constant logouts after NC & PHP update

Hi there,

I recently upgrade my NC version 18.x to 19.0.4 and then to 20.0.1.
It’s a manual installation on a Plesk-driven vServer running Ubuntu 18.04
In the course of the update I had to upgrade PHP as well and due to some PHP modules being not available for the Plesk provided PHP, I’m running Ubuntus
PHP version 7.4.12.
Apache version: 2.4.29-1ubuntu4.14

Since the update I’m constantly logged out, XHR calls result in HTTP 412 or HTTP 500 whith a stacktrace pointing to method calls with user parameter = null

All in all it looks like the session is invalidated or recreated frequently.
The time in between session invalidations is not fix/deterministic, so I don’t think its PHPs session cleanup (although I checked that, too: session.gc_maxlifetime is set to 1440 per phpinfo).

Steps to replicate it:

  1. open Nextcloud dashboard and navigate to mail app
  2. look at the debugger console
  3. after some 50-100 successful requests all calls result either in
  • HTTP 412 with content message "CSRF check failed"
  • HTTP 401 with content message "Current user is not logged in"
  • HTTP 500 with the usual internal server error page. The corresponding log entry reads
    TypeError: Argument 7 passed to OCA\Mail\Controller\MessagesController::__construct() must be of the type string, null given

I observe a similar behavior in the News app: after a while (takes a little longer, bit after very few minutes the latest) I get the 412

The Files app shows 401s (with above mentioned error) for a couple of XHR requests and then redirects to the login page.

I moved the PHP session directory to a separate one for this instance (since Plesk manages multiple in parallel) to eliminate the possibility that another PHP session cleanup affects this PHP instance.

For the sake of completeness here’s my config.php, although I had to anonymize quite a some entries:

$CONFIG = array (
  'session_lifetime' => 86400,
  'remember_login_cookie_lifetime' => 1296000,
  'instanceid' => 'XXXXX',
  'passwordsalt' => 'XXXXX',
  'secret' => 'XXXXX',
  'trusted_domains' => 
  array (
    0 => 'XXXXX',
    1 => 'XXXXX',
  'datadirectory' => 'XXXXX',
  'overwrite.cli.url' => 'XXXXX',
  'dbtype' => 'mysql',
  'version' => '',
  'dbname' => 'owncloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'owncloud',
  'dbpassword' => 'XXXXX',
  'installed' => true,
  'maintenance' => false,
  '' => false,
  'loglevel' => 2,
  'theme' => '',
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'mail',
  'mail_domain' => 'XXXXX',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'XXXXX',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'XXXXX',
  'mail_smtppassword' => 'XXXXX',
  'app.mail.verify-tls-peer' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',

Any help would be appreciated. I’m able to debug the PHP instance, but since I don’t know the whole session handling infrastructure and how the apps play together, it’s kind of hard for me to investigate further.

I figured github would be a better place for this and issued a ticket there:

btw: this only seems to happen with PHP 7.4.