Stolen session token (possible in nextcloud)

hospital get well soon or best wishes to the ones u r visiting !

test
user-reggi added to talk-APP on iphone with token

startet active call with users
disabled user-reggi during the call

user-reggi lost connection within 5 seconds
as a matter of fact he was also not able to log in on the webIf either (as we all know;)

the account on the iphone talk-app was gone

after enabling user-reggi again

i typed in the original token for the talk iphone-app
and guess what … it worked (can I say that i reused / recycled the token)

if it is possible to steal the token from an app even if it is possible this will bring you some other bigger problems after enabling the user again

(cuz deaktivating a user seems to kill the session token for the webIF)

the sollution we are talking about (disable / enable a user)
will get the stolen session token of the webInterface of NC solved (as far as we know of today)

BUT brings another issue/and problem for the admin and the user, all of the devices and apps per device (mobile / tab / chromebook / android / iOs whatever) you have added to the user via token (the only way after enabling 2FA) have to be set up again because the informations are gone (after disable / enable a user) as a matter of fact u can reuse the original token (as we tested here a couple of minutes ago) to set up the account for the app again. (if you stored the QR code in your documentation too it will not be that pain in the ass typing that token on a mobile device)

BUT is that the way to do it ? reuse a token after you executed a part of an emergency procedure ?

Therefore I was talking all the way down this post … active user / session / where they come from / active now / last within the session_lifetime / force to reauth …

to kick bad actors out of the system and force them to reauth with the credentials and 2FA

If we are going deep dive to do this on SQL console (killing sessions from the session store ) we should go and only kill webInterface sessions, and let all other sessions (eg talk-app on iPhone untouched) this will get us pretty close to a doable sollution (what di u think)

and hopefully someone will tell us that a token used to auth the app can not be stolen, and we can ignore that …

NP