Disconnect all sessions/revoking access for all apps of a user

Nextcloud version : 13.0.6

Hello Nextclouders.

On my users security settings page i see all logged in clients. But the list is very long. Like 10 screens just filled with 3 apps with many sessions/logins for almost every minor version for the last two years.

screenshot

Is it possible to revoke access to these old versions/all apps? I know i can revoke access manually, but that would take hours and several thousands of clicks.

Thank you very much.

Did not want to wait and came up with this solution:

Go to your personal security site.
Open developer tools of your browser (Firefox) and select the network tab.
Revoke access to the oldest app.
Right click on the DELETE and choose “copy as curl”.
delete request

Create a bash script file with the following content. But replace curl line. Then remove the URL from the curl line and replace it as in the example below.

#set -x # for debugging in bash
token=1 # first token to delete
url=https://example.tld/nextcloud/index.php/settings/personal/authtokens/
for i in {1..9999} # 9999 round
do 
	echo "token: $token" # so you see the progress
	curl $url$token -X DELETE -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Accept-Language: de,en;q=0.5' --compressed -H 'requesttoken:<<<<<censored>>>>>' -H 'OCS-APIREQUEST: true' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; <<<<<censored>>>>>; oc_sessionPassphrase=<<<<<censored>>>>>; oc_music_volume=56' -H 'DNT: 1' -H 'Connection: keep-alive'
	((token++)) # increase the number
done

This is not efficient, and there is probably a way to get the list of tokens that are actually in use. But i wasn’t feeling like researching much for this issue.

If you have a more efficient solution feel free to answer below.

1 Like

This is an older topic but the information is still relevant and was still useful to me (with Nextcloud 24.0.2). So I thought I’d share the small improvement that I could make to what was already provided. I haven’t found any other way to do this

While doing what was described earlier, you can revoke the first and the last session in the list manually. This gives you the start and end token for this list in the dev console. You can also improve the loop by just iterating over these tokes. the code from earlier becomes like this. With 12345 being the first token, from the bottom of the list, and 22345 being the last token, from the top of the list.

url=https://example.tld/nextcloud/index.php/settings/personal/authtokens/
for token in {12345..22345}
do 
	echo "token: $token" # so you see the progress
	curl $url$token -X DELETE -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Accept-Language: de,en;q=0.5' --compressed -H 'requesttoken:<<<<<censored>>>>>' -H 'OCS-APIREQUEST: true' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; <<<<<censored>>>>>; oc_sessionPassphrase=<<<<<censored>>>>>; oc_music_volume=56' -H 'DNT: 1' -H 'Connection: keep-alive'
	((token++)) # increase the number
done
2 Likes

Thanks so much for posting this. I had to delete 1300 entries. I hope it does not pile up again.

There are a lot of issues but nobody implements a feature. And all this has nothing to do with security. What a pity.

Delete associated devices at once · Issue #8720 · nextcloud/server · GitHub

Just had a look in Settings → Security

Since I deleted 1300 sessions, there are already 10 new ones. Seems like some kind of garbage collection is needed.

1 Like

BTW: The only reason why I was looking for these sessions was, that a login took more than three minutes. After deleting the sessions login was back to normal.

I have exactly the same problem on 24.0.3. The list is more than full (over 12.000 enties) and my Login takes around half a minute. Thanx for posting this solution.
A proper solution from official side would be even better ;).
There should be an option for max valid time a session can be valid, without any action. And I tought there is a setting in config.php but even so I set

‘session_lifetime’ => 60 * 60 * 2,

All sessions stay in the list (including the caldav syncs with my phone).

I stumbled across the same issue. Usually, old tokens get cleaned up in the cron scripts, but currently (NC 24) the cron script does not include the deletion of stale login tokens anymore. The job was called DefaultTokenCleanupJob. They removed it (accidentally?) in this PR. It is noted in the Critical changes for developers and admins for Nextcloud 24.

However, they plan to add it back in Nextcloud 25. When added back, the session_lifetime should work again.

One can check by logging onto the mariadb/mysql process with the nextcloud credentials, select the nextcloud database, and execute select * from oc_jobs;. From there, look for OC\Authentication\Token\DefaultTokenCleanupJob and compare the column last_run which is the unix timestamp.

1 Like

Thanks! I can wait until then I hope :slight_smile: