Logout failure with Basic Auth

ℹ️ Support
1

Hello and thanks for your great work :slight_smile:
Nextcloud version 10.0.5
Operating system and version Ubuntu 14.04
Apache or nginx version Apache 2.4.7
PHP version 5.5.9
Error is stable and systematic. Easy to replicate.

When I am logged into NextCloud I cannot log out.
Clicking on Logout button does not seem to generate any effect.
Only when starting the browser the first time, NextCloud asks for credentials.

My server is on apache and NextCloud is in a subdirectory with directives:
AuthType None
AllowOverride All
Initial authentication (through internal store and LDAP) works fine, but logout does not.
The general authentication of the server is through Basic Auth, but not the directory of NextCloud as seen above.
Any suggestion where to look is more than welcome.

Nextcloud log in Admin>Logging has no entry. config.php does not show anything related.
LDAP integration is active and working.

Cheers, Hubert
More information about the scenario:

  1. Fresh Firefox, enter the NC site
  2. Login page appears. Enter creds, normal login
  3. Press logout, login page appears again
  4. You can repeat this with another user, login, logout
  5. Go to the rest of the site
  6. Basic Auth popup appears. Fill it with a user (the same as NC)
  7. Visit the rest of the site
  8. Press logout on NC
  9. Page returns to the initial Files view for the user (logged in Basic Auth).
2

I’m not sure if you can bypass Nextcloud authentication like this. And this way I’m not wondering that logout does not work. You should rather user SSO to authenticate once for different applications. NC 10 is not supported any more, consider upgrade to NC 11 soon (you’ll probably need to upgrade php to 5.6 or later).

3

Thanks tflidd, let me precise one point. I am not trying to bypass NC authentication. I am trying to enable it and especially shield it from the Basic Auth that is valid for the rest of the site.
I chose NC10 because of OS level, so sure I will upgrade as soon as possible. I have not seen any debate indicating that the behavior has changed after NC10.
It seems that NC recognises Basic Auth because the browser is sending credential headers automatically for all the site, regardless of the directory.
Ideally I would like to understand the area of code that receives these credentials, and see if there is a flag that instructs NC to disregard them.
Have a great day, and congrats for the tool! Hubert

4

@LukasReschke can you help?