Stolen session token (possible in nextcloud)

someone checked the LTT (linus media group) youtube channel hack

the stolen session token

has some one checked this ?

How Easy Are Session Tokens To Copy & How Do You Defend?

is this possible in NC ?

to prevent adding these to config.php should work

‘session_lifetime’ => 60 * 60 * 3,
‘auto_logout’ => true,
‘remember_login_cookie_lifetime’ => 60 * 60 * 24 * 1,
‘token_auth_activity_update’ => 60,
‘’ => true,

i run into some funny things:

Forum Link: Config.php loosing entries

besides not kicking users out …

and missing an admin (gui or cli) feature to kick / logoff all sessions of one user / or all ? Command line, not wipe of one device.

see Forum Post here.
Forum Post: Get a simple list off all active users connected to nextcloud

anyone here in the same spot,
or am i missing a well hidden feature.

br NP

None of this is really new. The greatest danger comes from the client. Virtually everything can be read on the client from malware/key logger. What may surprise some is that 2FA does not always help with a malware attack, because after logging in with 2FA, the session also depends only on tokens and no longer on 2FA. As with internet banking, you would have to hedge each transaction individually with 2FA. That is not the case in Nextcloud.

What can be done now? You can correctly logoff from sessions. For my case, I have all cookies deleted in the browser when I close the browser. Also, you have to understand that 2FA does not help against all attack scenarios. Use a good virus scanner or an operating system with less malware. E.g. the biggest malware ever Emotet was only implemented for Windows. :wink: Linux or macOS was the best virus protection here.

I don’t think much of adjusting the configuration. It doesn’t solve the problem. Maybe it mitigates it a little.


This is the part where it has to be open for individual enhancement based on different user needs.
Many use Nextcloud exclusively on LAN, other uses it with federation excusively, and yet others have more rigid security requirements. Fortunately Nextcloud STANDARD configs and OPTIONS makes is versatile enough to fullfill most needs. However for the very security rigid organisations, I would assume per default, that Nextcloud is placed behind a WAF. If not, then I would say that adding full WAF feature set into Nextcloud, is a huge effort, with very little value.

I do get what you are writing, but I do not think there is a need for more Nextcloud enhancements, as mitigations to most risks, is achieveable in the middleware with standard modules and tweaks.

Some believe that a Nextcloud that is purely local such as http://192.168.0.x or https://onlylocalaccess.mycomplany.tld would eliminate the problem. This is exactly not the case. When attacked via malware, the client is remotely controlled, the local Nextcloud is read, and the data is exfiltrated via the Internet. Or do the users not have Internet access?

And a Web Application Firewall also does not help or at least not in all cases. You can test if E2EE or the app Secrets still works. Than e.g. the data can be stolen, too. Also the malware can crypt the data that WAF can not analyse it and WAF must allow or deny. Mostly allow i think. :wink:

Solution: You must separate intranet and internet on the desktop. I don’t know anyone who does that.


I do not disagree. Let me rephrase it: The effort of caking it in to nextcloud itself, is not worth it, considering what is achieveable on the middleware layer using Open Source products and modules.

1 Like

Unfortunately, I have not yet understood what you think could be achieved like WAF. Do you think that e.g. SSL Inspection solves the problem pointed out by the thread starter? Do you think that then no more tokens can be transferred to the Internet to use them? You can ask vendors if WAF software can do that at all. I think they only use blacklists and maybe they can find known malware in the normally encrypted ssl data. In the case of targeted attacks, all this is pointless.

No. However moving the authentication and federation to a waf with security gateway capabilities, you moves mitigation to that level, as that one acts as and replaces your reverse proxy, but build for purpose to protect scenarios also like that.

@ devnull

i dont care if it is really new or not
as a matter of fact the only way to prevent not the attac but the damage
is a simple and fast way to kill the sessions (on klick for all users, and force them to ra auth, cuz in the middle of the night u don know jack)

you are wrong about just “Maybe it mitigates it a little.”

this gonna help you a lot if shit hits the fan !
you save time, but still you are not able to kick them (the bad guys) out and force them to reauth

‘session_lifetime’ => 60 * 60 * 3,
‘auto_logout’ => true,
‘remember_login_cookie_lifetime’ => 60 * 60 * 24 * 1,
‘token_auth_activity_update’ => 60,
‘’ => true,

sadly as you see in my other posts this is not gonna work,
at least here on my config / box … gonna look a little more into it

see the LTT hack, the client was not controlled,thy got a copy of the session tokens from th browser,
so the 2FAand passwords were never breached

the main problem and thats the case here with nextcloud too
there is no way to force a user or all to reauth with their credentials
by killing revoking their tokens as admin. thats the issue

the config options are only a way do reduce stress or attack surface

@ kerasit
no one is cacking something into NC
there are options here and seems that they are not working as expected
some say user experience over security (which is not realy true here cuz the attac is kind of special)

dont get me worng
but a WAF des not get you anywhere near the protection you need against these kind of attack
but thats another topic …

no you dont !
totally different ballgame.

what you are talking about is a fully IDS IPS system with
inspecting ssl traffic and scanning everything in / out including every attachment that comes in an goes out

yeah its doable

and oh boy some of the back office users who gets a ton of mails and attachements every day still got hit by stuff

the only way is to put these workstations in a DMZ (old school)
have fun supporting your users and keep the collaboration effort and user expe high …
spoiler not gonna work

so bottom line, you have to set some usere experience limiting settings on NC to minimize the surface for an attack like this

and spoiler
if shit hits the fan
as an admin you will be missing the feature to force all users to reauth with their credentials and kill or revoke their tokens
(and yeah this will be fun when 2FA enabled for all the plugins and devices auth via token)

br NP

Well I have loads of experiences with Broadcom SiteMinder. This tool is utilizing apache tomcat reverse proxies with a plugin and that one then handles all this for you through the SiteMinder policy servers.
Apache Traffic has plugins to be able to do most of the same. However is it “easy” to configure? No. But is the effort worth spended to try and build a solution guide for using that instead? Probably.
Actually I think you might be able to solve this with Gluu as well. Move the authentication and authorization from Nextcloud to Gluu. This one has these additional security settings buildin, and because Gluu as acting as a reverse proxy (yes you will have to terminate your TLS on Gluu and not in NC webserver) it is all about how you sete up your infrastructure. Just ensure that no clients reaches Nextcloud directly, but is forced to go through the Reverse Proxy (like Gluu or Apache Traffic) to reach the Nextcloud instance.

Yes. I agree the 2FA was never breached. But the password can be stolen on client side if needed.

Yes. Maybe it is possible to add it to Nextcloud. Very good idea.

Yes. It treats the symptom and not the cause.

WAF software:
I think that SSL interspection does not work at the latest when the data within TLS is encrypted again. As an attacker, i would always do this (communication to the Command-and-Control-Server). This can be tested with test viruses within e.g. Can WAF find the virus transported from your client through WAF to the internet and back to your client?

this is so cool that you got a ton of experience with WAF
but this is an NC issue to be crystal clear its


its not about how to prevent it
its all about

A) how to minimize the attack surface
B) get a faster response when it already has happened
C) give your admins the proper tools to deal with it


dont get me wrong
we can dicuss this at a firewall froum as u like

br np

Forget the WAF statement as a stand alone. I apologize. I have never used a WAF which is just and only a WAF. The tools I have worked with had WAF AND Secure Reverse Proxies. My bad.

Any terminating link in your infrastructure, can be mitigating an attack like this. As I said: Move session management and authentication and authorization (including) from Nextcloud to an entity in front build for purpose, like Gluu.

No. I got a ton of experience building secure authentication, authorization and governance of web trafic. This includes WAF, session management, reacting to suspecious patterns and likely session and token attacks.

Yes that is a good idea. Finally it would be useful if the session id is only valid for the special client so you can’t just use the session key on another device. Maybe that is the question for Nextcloud. But of course this does not solve the malware and therefore remote control problem direct on the client. Nothing helps. Also not 2FA after authentication.

Correct. Malware can and will always be able to initiate “legit” connections, as it is coming from a trusted client. However tools like Gluu has excactly the features the OP is asking for, as it can terminate and kickout - even block specific sessions by the admin interface. However why should Nextcloud start implementing mitigations from attacks, which comes from a trusted source? Malware needs to be caugth by your end point protection on your devices, or your coorporate ATP or SIEM. Only other solution is to never trust any source at all. That can work, but how many of the community users would then stop using Nextcloud because it becomes very hard and complex to ensure family and friends can login without annoying checks and constant nagging?

so folks and now we are talkin sharp.

Finally it would be useful if the session id is only valid for the special client so you can’t just use the session key on another device.

session key = session token ?? ( for me not clear)

we are not trying to slove malware attacks … (no way not here)


However tools like Gluu has excactly the features the OP is asking for, as it can terminate and kickout - even block specific sessions by the admin interface.

let me get clear ths is not an attack ! (stolen session token)
the attack happend before (not gonna solve this in nc)

the problem is the config options auto log out / session time out and on and on seems not to work

and the sollution for an admin to kill all sessions loged in is not avail.

get away from the idea of protecting something to happen

the need is to force all active sessions to reauth with their credentials

and the other need for an admin is to see a list of all users loged in with their origin IP (as a bonus with info from GEO IP)

i kinda like the idea of gluu but for a small company usin NC
a kind of overkill and of course for all the private users out there too slef hosting a NC

However the only tool out there - free and community backed - which solves it all neatly, is wso2. However that one is a beast in terms of resources.

But killing a session in Nextcloud will never be an option. If ever using Federation to login to nextcloud, it will never work. You would have to add CASB features, so Nextcloud has an API which can also tell the IDP, that this user needs re-authentication.

This is why I started with the “is it worth the effort compared to other possible solutions”

so you see therefore we should use NC
the features are already there (see config parameters)
see lists shown in the webIf of users or admin
but not for all users

and the admin is not able to force them to reauth
like with xen orchestra (as shown in the video)

for me here even auto logout is not working on 25.0.5 … see my other posts
(worst i loose config entries in config.php not knowing why cuz logs are clean)

so gonna look into it