"Session token credentials are invalid" a few minutes after login

Nextcloud version (eg, 20.0.5): 26.0.1
Operating system and version (eg, Ubuntu 20.04): Nixos 23.05
Apache or nginx version (eg, Apache 2.4.25): 1.24.0
PHP version (eg, 7.4): 8.2.13

The issue you are facing:

Since a few weeks, I regularly get the following

{"reqId":"[redacted]","level":2,"time":"2024-01-11T10:33:36+00:00","remoteAddr":"77.25.18.169","user":"turion","app":"core","method":"GET","url":"/remote.php/dav/files/turion/[redacted]","message":"Login failed: 'turion' (Remote IP: '77.25.18.169')","userAgent":"Mozilla/5.0 (Linux) mirall/3.10.1git (Nextcloud, nixos-6.1.61 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"26.0.10.1","data":{"app":"core"}}
 {"reqId":"[redacted]","level":2,"time":"2024-01-11T10:42:20+00:00","remoteAddr":"77.25.18.169","user":"turion","app":"core","method":"GET","url":"/remote.php/dav/files/turion/[redacted]","message":"Session token credentials are invalid","userAgent":"Mozilla/5.0 (Linux) mirall/3.10.1git (Nextcloud, nixos-6.1.61 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"26.0.10.1","data":{"app":"core","user":"null"}}

My desktop client (on linux), my Android Nextcloud App, my DavX5 app, all get regularly disconnected. This seems to be happening for other users as well. The only thing that stays logged in is over the browser.

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

1. Log in e.g. with desktop client
2. Wait for some time, less than an hour
3. Client is disconnected, log message appears

The output of your Nextcloud log in Admin > Logging: This feature is unusable because it throws a RuntimeException when I try to download the log that way. (And reading it in the browser is infeasible, I can’t sort it to start with the newest entries.)

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'auth.bruteforce.protection.enabled' => false,
  'version' => '26.0.10.1',
  'installed' => true,
  'instanceid' => ...
  'maintenance' => false,
  'log_level' => '2',
  'loglevel' => '2',
  'theme' => '',
  'app_install_overwrite' => 
  array (
    0 => 'contacts',
  ),
  'trusted_proxies' => 
  array (
    0 => ...
  ),
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/lib/nextcloud/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/lib/nextcloud/store-apps',
      'url' => '/store-apps',
      'writable' => true,
    ),
  ),
  'datadirectory' => '/var/lib/nextcloud/data',
  'skeletondirectory' => '',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'log_type' => 'syslog',
  'dbname' => 'nextcloud',
  'dbhost' => '/run/postgresql',
  'dbuser' => 'nextcloud',
  'dbtype' => 'pgsql',
  'overwrite.cli.url' => ...
  'overwritehost' => ...
  'overwriteprotocol' => 'https',
  'secret' => ...
  'profile.enabled' => false,
  'trashbin_retention_obligation' => 'auto, 7',
  'passwordsalt' => ...
  'bulkupload.enabled' => false,
  'default_phone_region' => 'DE',
  'dbpassword' => ...
);

Furthermore, I have the following override.config.php:

<?php

function nix_decode_json_file($file, $error) {
  if (!file_exists($file)) {
    throw new \RuntimeException(sprintf($error, $file));
  }
  $decoded = json_decode(file_get_contents($file), true);

  if (json_last_error() !== JSON_ERROR_NONE) {
    throw new \RuntimeException(sprintf("Cannot decode %s, because: %s", $file, json_last_error_msg()));
  }

  return $decoded;
}
$CONFIG = [
  'apps_paths' => [
    
    [ 'path' => '/var/lib/nextcloud/apps', 'url' => '/apps', 'writable' => false ],
    [ 'path' => '/var/lib/nextcloud/store-apps', 'url' => '/store-apps', 'writable' => true ],
  ],
  
  'datadirectory' => '/var/lib/nextcloud/data',
  'skeletondirectory' => '',
  'memcache.local' => '\OC\Memcache\APCu',
  'log_type' => 'syslog',
  'loglevel' => '2',
  
  'dbname' => 'nextcloud',
  'dbhost' => '/run/postgresql',
  
  'dbuser' => 'nextcloud',
  
  
  'dbtype' => 'pgsql',
  'trusted_domains' => ...
  'trusted_proxies' => ...
  
  'profile.enabled' => false,
  
];

$CONFIG = array_replace_recursive($CONFIG, nix_decode_json_file(
  "/nix/store/ip41nr4wgh24yzqhj4rz55dkk204a9xr-nextcloud-extraOptions.json",
  "impossible: this should never happen (decoding generated extraOptions file %s failed)"
));

And /nix/store/ip41nr4wgh24yzqhj4rz55dkk204a9xr-nextcloud-extraOptions.json contains:

{
  "bulkupload.enabled": false,
  "default_phone_region": "DE",
  "trashbin_retention_obligation": "auto, 7"
}

I updated to 27.1.5.1, same problem.

DavX5 also says after some time that there is an error on login, and I find this log message:

{"reqId":"....","level":2,"time":"2024-01-11T15:06:17+00:00","remoteAddr":"...","user":"turion","app":"core","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications?format=json","message":"Login failed: 'turion' (Remote IP: '....')","userAgent":"Mozilla/5.0 (Linux) mirall/3.10.1git (Nextcloud, nixos-6.1.61 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"27.1.5.1","data":{"app":"core"}}

Some other log messages that look scary and might be related:

{"reqId":"","level":3,"time":"2024-01-11T11:39:01+00:00","remoteAddr":"","user":"turion","app":"mail","method":"GET","url":"/apps/mail/api/mailboxes?accountId=1","message":"{\"Exception\":\"Exception\",\"Message\":\"HMAC does not match.\",\"Code\":0,\"Trace\":[{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/private/Security/Crypto.php\",\"line\":134,\"function\":\"decryptWithoutSecret\",\"class\":\"OC\\\\Security\\\\Crypto\",\"type\":\"->\",\"args\":[\"*** sensitive parameters replaced ***\"]},{\"file\":\"/var/lib/nextcloud/store-apps/mail/lib/IMAP/IMAPClientFactory.php\",\"line\":89,\"function\":\"decrypt\",\"class\":\"OC\\\\Security\\\\Crypto\",\"type\":\"->\",\"args\":[\"*** sensitive parameters replaced ***\"]},{\"file\":\"/var/lib/nextcloud/store-apps/mail/lib/IMAP/MailboxSync.php\",\"line\":103,\"function\":\"getClient\",\"class\":\"OCA\\\\Mail\\\\IMAP\\\\IMAPClientFactory\",\"type\":\"->\"},{\"file\":\"/var/lib/nextcloud/store-apps/mail/lib/Service/MailManager.php\",\"line\":148,\"function\":\"sync\",\"class\":\"OCA\\\\Mail\\\\IMAP\\\\MailboxSync\",\"type\":\"->\",\"args\":[\"*** sensitive parameters replaced ***\"]},{\"file\":\"/var/lib/nextcloud/store-apps/mail/lib/Controller/MailboxesController.php\",\"line\":86,\"function\":\"getMailboxes\",\"class\":\"OCA\\\\Mail\\\\Service\\\\MailManager\",\"type\":\"->\"},{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/private/AppFramework/Http/Dispatcher.php\",\"line\":230,\"function\":\"index\",\"class\":\"OCA\\\\Mail\\\\Controller\\\\MailboxesController\",\"type\":\"->\"},{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/private/AppFramework/Http/Dispatcher.php\",\"line\":137,\"function\":\"executeController\",\"class\":\"OC\\\\AppFramework\\\\Http\\\\Dispatcher\",\"type\":\"->\"},{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/private/AppFramework/App.php\",\"line\":183,\"function\":\"dispatch\",\"class\":\"OC\\\\AppFramework\\\\Http\\\\Dispatcher\",\"type\":\"->\"},{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/private/Route/Router.php\",\"line\":315,\"function\":\"main\",\"class\":\"OC\\\\AppFramework\\\\App\",\"type\":\"::\"},{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/base.php\",\"line\":1062,\"function\":\"match\",\"class\":\"OC\\\\Route\\\\Router\",\"type\":\"->\"},{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/index.php\",\"line\":38,\"function\":\"handleRequest\",\"class\":\"OC\",\"type\":\"::\"}],\"File\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/private/Security/Crypto.php\",\"Line\":169,\"message\":\"HMAC does not match.\",\"exception\":{},\"CustomMessage\":\"HMAC does not match.\"}","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"26.0.10.1"}
{"reqId":"","level":3,"time":"2024-01-11T11:40:51+00:00","remoteAddr":"","user":"turion","app":"index","method":"GET","url":"/settings/admin/log/download","message":"{\"Exception\":\"RuntimeException\",\"Message\":\"Log implementation has no path\",\"Code\":0,\"Trace\":[{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/apps/settings/lib/Controller/LogSettingsController.php\",\"line\":55,\"function\":\"getLogPath\",\"class\":\"OC\\\\Log\",\"type\":\"->\"},{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/private/AppFramework/Http/Dispatcher.php\",\"line\":230,\"function\":\"download\",\"class\":\"OCA\\\\Settings\\\\Controller\\\\LogSettingsController\",\"type\":\"->\"},{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/private/AppFramework/Http/Dispatcher.php\",\"line\":137,\"function\":\"executeController\",\"class\":\"OC\\\\AppFramework\\\\Http\\\\Dispatcher\",\"type\":\"->\"},{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/private/AppFramework/App.php\",\"line\":183,\"function\":\"dispatch\",\"class\":\"OC\\\\AppFramework\\\\Http\\\\Dispatcher\",\"type\":\"->\"},{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/private/Route/Router.php\",\"line\":315,\"function\":\"main\",\"class\":\"OC\\\\AppFramework\\\\App\",\"type\":\"::\"},{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/base.php\",\"line\":1062,\"function\":\"match\",\"class\":\"OC\\\\Route\\\\Router\",\"type\":\"->\"},{\"file\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/index.php\",\"line\":38,\"function\":\"handleRequest\",\"class\":\"OC\",\"type\":\"::\"}],\"File\":\"/nix/store/83pvq28y7nzbpdhcgi4kmx2q66xkbxp3-nextcloud-26.0.10/lib/private/Log.php\",\"Line\":403,\"CustomMessage\":\"Exception thrown: RuntimeException\"}","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"26.0.10.1"}

The corresponding log messages on the client seem to be:

2024-01-09 21:59:01:276 [ info nextcloud.gui.account.state /build/source/src/gui/accountstate.cpp:271 ]:	check connectivity
2024-01-09 21:59:01:276 [ info nextcloud.gui.account.state /build/source/src/gui/accountstate.cpp:566 ]:	Skipping server availibility check for account "turion" with state 2
2024-01-09 21:59:03:276 [ info nextcloud.gui.folder.manager /build/source/src/gui/folderman.cpp:958 ]:	Etag poll timer timeout
2024-01-09 21:59:03:276 [ info nextcloud.gui.folder.manager /build/source/src/gui/folderman.cpp:962 ]:	Folders to sync: 1
2024-01-09 21:59:03:276 [ info nextcloud.gui.folder.manager /build/source/src/gui/folderman.cpp:972 ]:	Number of folders that don't use push notifications: 1
2024-01-09 21:59:03:276 [ info nextcloud.gui.folder.manager /build/source/src/gui/folderman.cpp:989 ]:	Run etag job on folder OCC::Folder(0x56188068d790)
2024-01-09 21:59:03:276 [ info nextcloud.gui.folder /build/source/src/gui/folder.cpp:329 ]:	Trying to check "https://nextcloud.manuelbaerenz.de/remote.php/dav/files/turion/" for changes via ETag check. (time since last sync: 2998 s)
2024-01-09 21:59:03:277 [ info nextcloud.sync.accessmanager /build/source/src/libsync/accessmanager.cpp:78 ]:	6 "PROPFIND" "https://nextcloud.manuelbaerenz.de/remote.php/dav/files/turion/" has X-Request-ID "5ca55889-1f73-4e9d-9440-37798d4f5a09"
2024-01-09 21:59:03:277 [ info nextcloud.sync.networkjob /build/source/src/libsync/abstractnetworkjob.cpp:363 ]:	OCC::RequestEtagJob created for "https://nextcloud.manuelbaerenz.de" + "/" "OCC::Folder"
2024-01-09 21:59:04:309 [ info nextcloud.sync.credentials.webflow /build/source/src/gui/creds/webflowcredentials.cpp:406 ]:	request finished
2024-01-09 21:59:04:310 [ warning nextcloud.sync.networkjob /build/source/src/libsync/abstractnetworkjob.cpp:221 ]:	QNetworkReply::AuthenticationRequiredError "Der Host verlangt eine Authentifizierung" QVariant(int, 401)
2024-01-09 21:59:04:310 [ warning nextcloud.sync.credentials.webflow /build/source/src/gui/creds/webflowcredentials.cpp:208 ]:	QNetworkReply::AuthenticationRequiredError
2024-01-09 21:59:04:310 [ warning nextcloud.sync.credentials.webflow /build/source/src/gui/creds/webflowcredentials.cpp:209 ]:	"Der Host verlangt eine Authentifizierung"
2024-01-09 21:59:04:311 [ info nextcloud.gui.account.manager /build/source/src/gui/accountmanager.cpp:349 ]:	Saving  0  unknown certs.
2024-01-09 21:59:04:311 [ info nextcloud.gui.account.manager /build/source/src/gui/accountmanager.cpp:364 ]:	Saving cookies. "/home/turion/.config/Nextcloud/cookies0.db"
2024-01-09 21:59:04:321 [ info nextcloud.gui.account.manager /build/source/src/gui/accountmanager.cpp:349 ]:	Saving  0  unknown certs.
2024-01-09 21:59:04:321 [ info nextcloud.gui.account.manager /build/source/src/gui/accountmanager.cpp:364 ]:	Saving cookies. "/home/turion/.config/Nextcloud/cookies0.db"
2024-01-09 21:59:04:331 [ info nextcloud.gui.account.state /build/source/src/gui/accountstate.cpp:113 ]:	AccountState state change:  "Verbunden" -> "Abgemeldet"
2024-01-09 21:59:04:336 [ info nextcloud.gui.folder.manager /build/source/src/gui/folderman.cpp:806 ]:	Account "turion@nextcloud.manuelbaerenz.de" disconnected or paused, terminating or descheduling sync folders
2024-01-09 21:59:04:336 [ info nextcloud.gui.account.state /build/source/src/gui/accountstate.cpp:437 ]:	Invalid credentials for "https://nextcloud.manuelbaerenz.de" checking for remote wipe request
2024-01-09 21:59:04:336 [ info nextcloud.gui.folder.manager /build/source/src/gui/folderman.cpp:806 ]:	Account "turion@nextcloud.manuelbaerenz.de" disconnected or paused, terminating or descheduling sync folders
2024-01-09 21:59:04:337 [ info nextcloud.sync.networkjob.etag /build/source/src/libsync/networkjobs.cpp:100 ]:	Request Etag of QUrl("https://nextcloud.manuelbaerenz.de/remote.php/dav/files/turion/") FINISHED WITH STATUS "AuthenticationRequiredError Der Host verlangt eine Authentifi
zierung"
2024-01-09 21:59:04:354 [ info nextcloud.sync.account /build/source/src/libsync/account.cpp:839 ]:	appPassword deleted from keychain
2024-01-09 21:59:04:679 [ warning nextcloud.gui.remotewipe /build/source/src/gui/remotewipe.cpp:82 ]:	"There was an error accessing the 'token' endpoint: <br><em>Error transferring https://nextcloud.manuelbaerenz.de/index.php/core/wipe/check - server replied: Not Found</em>"

I am having the same issue, seeing the same lines in my logfile.
Server is Ubuntu
Client is Nextcloud desktop App on 2 x OSX

Is there a fix / response to this issue?

Not yet, I still experience it. Maybe we should open a Github ticket.

What proxy are you using? Make sure you’re not overly aggressively caching assets on your proxy. This will cause problems with sessions/cookies.

The output of your Nextcloud log in Admin > Logging: This feature is unusable because it throws a RuntimeException when I try to download the log that way. (And reading it in the browser is infeasible, I can’t sort it to start with the newest entries.)

The newest entries are shown first. Your provided config suggests you’re using syslog not file-based logging so the built-in logreader app isn’t intended for your use case. In older versions of logreader (I believe.the one bundled with v26), if it shows anything at all, it’s likely picking up some orphaned log files from before you reconfigured your instance to use syslog. That’s also likely why you’re seeing old entries not new ones.

P.S. The loglevel value should not be a string.

I’ve disabled proxies on the client, still the issue returns.

Oh interesting, will a string not work? (Because then every NixOS user has a wrong config )

Not the proxy in the client; your reverse proxy. Looks like you’re likely using Nginx, but not sure what else you have in front (you have trusted_proxies configured).

Oh interesting, will a string not work? (Because then every NixOS user has a wrong config )

Well PHP will do its best to cast it to an integer. It won’t error when parsing it. Whether it’ll be the one the user expects or not, well, that depends.

@treken What’s in front of your Nextcloud Server? Are you using a reverse proxy? Can you share more details about your environment/setup?

Ah I see, yes, Nginx as a reverse proxy which used to work in the past.

Is it stock Nginx or something like Nginx Proxy Manager/etc?

Are you doing any caching on it? Can you share the config entry for the proxy piece that connects to Nextcloud?

Hi jtr, thanks for asking.

My Nextcloud is pretty much vanilla out of the box Ubuntu
Web server is Apache2
No proxy or anything in front.
Server is on cloud hosting
Client “No Proxy”

I run the Nexcloud client app on multiple OSX desktop machines and also on my Android phone (Calyxos). The machines are at 3 different addresses and these are pretty much identical as I work from these 3 locations. Nextcloud gives me access to all my data.

Today these entries appeared in the logfile, the last 2 IPs appeared as I was typing this.

I am using the same account on each machine (makes sense to me to do so).
I am presently using the device at the second IP. The first is one of my ‘other’ sites. And so while typing this I got the same message for the third site.

The log entries are:

{“reqId”:“39p910xhnW8cVCTINy7p”,“level”:2,“time”:“2024-02-12T23:14:40+00:00”,“remoteAddr”:“60.242.17.90”,“user”:“trevor”,“app”:“core”,“method”:“OPTIONS”,“url”:“/remote.php/dav/principals/users/trevor/”,“message”:“Session token credentials are invalid”,“userAgent”:“macOS/14.1.1 (23B81) dataaccessd/1.0”,“version”:“28.0.2.5”,“data”:{“app”:“core”,“user”:“null”}}

{“reqId”:“VkIgN9xZw7oSGJKNEuPO”,“level”:2,“time”:“2024-02-12T23:23:47+00:00”,“remoteAddr”:“210.10.213.126”,“user”:“trevor”,“app”:“core”,“method”:“OPTIONS”,“url”:“/remote.php/dav/principals/users/trevor/”,“message”:“Login failed: ‘trevor@webarena.com.au’ (Remote IP: ‘210.10.213.126’)”,“userAgent”:“macOS/14.2.1 (23C71) dataaccessd/1.0”,“version”:“28.0.2.5”,“data”:{“app”:“core”}}

{“reqId”:“VkIgN9xZw7oSGJKNEuPO”,“level”:2,“time”:“2024-02-12T23:23:47+00:00”,“remoteAddr”:“210.10.213.126”,“user”:“trevor”,“app”:“core”,“method”:“OPTIONS”,“url”:“/remote.php/dav/principals/users/trevor/”,“message”:“Session token credentials are invalid”,“userAgent”:“macOS/14.2.1 (23C71) dataaccessd/1.0”,“version”:“28.0.2.5”,“data”:{“app”:“core”,“user”:“null”}}

{“reqId”:“rVZ6DyAABsoZa7DktVjO”,“level”:2,“time”:“2024-02-12T23:25:40+00:00”,“remoteAddr”:“115.64.56.208”,“user”:“trevor”,“app”:“core”,“method”:“OPTIONS”,“url”:“/remote.php/dav/principals/users/trevor/”,“message”:“Login failed: ‘trevor@webarena.com.au’ (Remote IP: ‘115.64.56.208’)”,“userAgent”:“macOS/14.1.2 (23B92) dataaccessd/1.0”,“version”:“28.0.2.5”,“data”:{“app”:“core”}}

{“reqId”:“rVZ6DyAABsoZa7DktVjO”,“level”:2,“time”:“2024-02-12T23:25:40+00:00”,“remoteAddr”:“115.64.56.208”,“user”:“trevor”,“app”:“core”,“method”:“OPTIONS”,“url”:“/remote.php/dav/principals/users/trevor/”,“message”:“Session token credentials are invalid”,“userAgent”:“macOS/14.1.2 (23B92) dataaccessd/1.0”,“version”:“28.0.2.5”,“data”:{“app”:“core”,“user”:“null”}}

For me I think it is stock nginx as well. I hope this is the relevant part of the config:

        server {
                listen 0.0.0.0:443 http2 ssl ;
                listen [::0]:443 http2 ssl ;
                server_name nextcloud.manuelbaerenz.de ;
                # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
                # We use ^~ here, so that we don't check any regexes (which could
                # otherwise easily override this intended match accidentally).
                location ^~ /.well-known/acme-challenge/ {
                        root /var/lib/acme/acme-challenge;
                        auth_basic off;
                }
                root /nix/store/k4qyz65b0xzkradkxf7sh18dvvyy492i-nextcloud-27.1.5;
                ssl_certificate /var/lib/acme/nextcloud.manuelbaerenz.de/fullchain.pem;
                ssl_certificate_key /var/lib/acme/nextcloud.manuelbaerenz.de/key.pem;
                ssl_trusted_certificate /var/lib/acme/nextcloud.manuelbaerenz.de/chain.pem;
                location = / {
                        if ( $http_user_agent ~ ^DavClnt ) {
                                return 302 /remote.php/webdav/$is_args$args;
                        }
                }
                location = /robots.txt {
                        allow all;
                        access_log off;
                }
                location ~ ^/nix-apps {
                        root /var/lib/nextcloud;
                }
                location ~ ^/store-apps {
                        root /var/lib/nextcloud;
                }
                location ^~ /.well-known {
                        absolute_redirect off;
                        location = /.well-known/carddav {
                                return 301 /remote.php/dav;
                        }
                        location = /.well-known/caldav {
                                return 301 /remote.php/dav;
                        }
                        location ~ ^/\.well-known/(?!acme-challenge|pki-validation) {
                                return 301 /index.php$request_uri;
                        }
                        try_files $uri $uri/ =404;
                }
                location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[s]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
                        include /nix/store/xsvnmmg3dhl1il9zn41iyz5si44dgdrf-nginx-1.24.0/conf/fastcgi.conf;
                        fastcgi_split_path_info ^(.+?\.php)(\\/.*)$;
                        set $path_info $fastcgi_path_info;
                        try_files $fastcgi_script_name =404;
                        fastcgi_param PATH_INFO $path_info;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        fastcgi_param HTTPS on;
                        fastcgi_param modHeadersAvailable true;
                        fastcgi_param front_controller_active true;
                        fastcgi_pass unix:/run/phpfpm/nextcloud.sock;
                        fastcgi_intercept_errors on;
                        fastcgi_request_buffering off;
                        fastcgi_read_timeout 120s;
                }
                location / {
                        rewrite ^ /index.php;
                }
                location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
                        try_files $uri /index.php$request_uri;
                        expires 6M;
                        access_log off;
                }
                location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
                        try_files $uri /index.php$request_uri;
                        access_log off;
                }
                location ~ ^/(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console) {
                        return 404;
                }
                location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) {
                        return 404;
                }
                location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
                        try_files $uri/ =404;
                        index index.php;
                }
                index index.php index.html /index.php$request_uri;
                add_header X-Content-Type-Options nosniff;
                add_header X-XSS-Protection "1; mode=block";
                add_header X-Robots-Tag "noindex, nofollow";
                add_header X-Download-Options noopen;
                add_header X-Permitted-Cross-Domain-Policies none;
                add_header X-Frame-Options sameorigin;
                add_header Referrer-Policy no-referrer;
                add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
                client_max_body_size 10G;
                fastcgi_buffers 64 4K;
                fastcgi_hide_header X-Powered-By;
                gzip on;
                gzip_vary on;
                gzip_comp_level 4;
                gzip_min_length 256;
                gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
                gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
                access_log syslog:server=unix:/dev/log;
                fastcgi_request_buffering off;
                proxy_max_temp_file_size 10000m;
        }

Coincidentally, I discovered systemd to be in a bad state yesterday and hard rebooted the machine. The issue hasn’t returned so far! Maybe it is some kind of long lived state that can be gotten rid of with rebooting or restarting?

I’m on a brand new installation, and I’m facing the same. This error message (“Session token credentials are invalid”) is always preceded by a “Login failed” message:

{"reqId":"nJ9R2Oou6YFlbITLwQej","level":2,"time":"2024-02-24T11:18:20+00:00","remoteAddr":"84.214.145.66","user":"ltning","app":"core","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"Login failed: 'ltning' (Remote IP: '84.214.145.66')","userAgent":"Mozilla/5.0 (X11; FreeBSD amd64; rv:122.0) Gecko/20100101 Firefox/122.0","version":"28.0.2.5","data":{"app":"core"}}
{"reqId":"nJ9R2Oou6YFlbITLwQej","level":2,"time":"2024-02-24T11:18:20+00:00","remoteAddr":"84.214.145.66","user":"ltning","app":"core","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"Session token credentials are invalid","userAgent":"Mozilla/5.0 (X11; FreeBSD amd64; rv:122.0) Gecko/20100101 Firefox/122.0","version":"28.0.2.5","data":{"app":"core","user":"null"}}

It makes no sense to me. Session timeout settings are left at their default values. I’m using the IMAP external auth plugin, but I can reproduce this even when it is disabled.

Any ideas?

Does rebooting help?

@ltning You’ll need to provide more details about your installation/environment if you want help.

@turion Glad it’s working for you again. Your config is not an exact match for the Nextcloud example Nginx config. I see a few oddities in your config:

• caches assets explicitly using expires
• lacks cache-control / cache busting handling
• lacks mjs asset handling
• several different location handlers, but I don’t have time to deeply analyze all the differences and impact

At least the first two can cause authentication/session problems. There is a reason they’re handled the way they are in the recommended Nginx config. So you may want to review why your configuration is different and make sure it’s for a good reason (and doesn’t have any side effects).

Thanks, that’s very insightful! I believe these were more or less the recommended settings 4 years ago, which are still rolled out with every vanilla Nextcloud installation on NixOS. Probably the NixOS defaults haven’t been updated sufficiently. It’s entirely possible that this is the root cause, although I’d be surprised if no other NixOS Nextcloud had the same problem. Once it occurs again I’ll investigate whether these differences may in fact cause it.