Users Randomly Logged Out – Session Errors and HMAC Mismatch on Nextcloud 31.0.5 Docker

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 31.0.5
  • Operating system and version (e.g., Ubuntu 24.04):
    • Debian 12
  • Web server and version (e.g, Apache 2.4.25):
    • Apache 2.4.62
  • Reverse proxy and version (e.g. nginx 1.27.2):
    • Nginx Proxy Manager v2.12.3
  • PHP version (e.g, 8.3):
    • 8.3.21
  • Is this the first time you’ve seen this error? (Yes / No):
    • Yes
  • When did this problem seem to first start?
    • One month ago when I installed this new instance
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • Docker
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • No

Summary of the issue you are facing:

I have just stood up my Nextcloud instance using Docker Compose (version 31.0.5.1). Everything seems to work at first, but after logging in, I get repeatedly and seemingly at random kicked out of my session several times a day. This happens for every user account I’ve created—multiple users experience the same behavior. When any user tries to log back in immediately, they receive a “Session Error.” They have to refresh the page multiple times before finally logging back in. Even then, sometimes they’re immediately logged out again and must clear their browser cache to restore normal operation; other times, it starts working again without any cache-clearing. Notably, sessions in the Android apps remain stable and are never logged out.

What I have tried so far:

  • Cleared the Redis cache completely, but the session drop issue persisted.
  • Manually deleted all active sessions for several user accounts and had them log in again, yet they still experienced the same random session errors.

Relevant log excerpts that I believe are related:

{"reqId":"IYk62zak7bob66NQxupW","level":3,"time":"2025-05-27T07:24:11+00:00","remoteAddr":"94.183.153.122","user":"--","app":"no app in context","method":"REPORT","url":"/remote.php/dav/files/majan/","message":"Could not decrypt or decode encrypted session data","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0","version":"31.0.5.1","exception":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/html/lib/private/Security/Crypto.php","line":98,"function":"decryptWithoutSecret","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/Session/CryptoSessionData.php","line":70,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/Session/CryptoSessionData.php","line":47,"function":"initializeSession","class":"OC\\Session\\CryptoSessionData","type":"->","args":[]},{"file":"/var/www/html/lib/private/Session/CryptoWrapper.php","line":94,"function":"__construct","class":"OC\\Session\\CryptoSessionData","type":"->","args":[{"__class__":"OC\\Session\\Internal"},{"__class__":"OC\\Security\\Crypto"},"*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/base.php","line":415,"function":"wrapSession","class":"OC\\Session\\CryptoWrapper","type":"->","args":[{"__class__":"OC\\Session\\Internal"}]},{"file":"/var/www/html/lib/base.php","line":687,"function":"initSession","class":"OC","type":"::","args":[]},{"file":"/var/www/html/lib/base.php","line":1171,"function":"init","class":"OC","type":"::","args":[]},{"file":"/var/www/html/remote.php","line":91,"args":["/var/www/html/lib/base.php"],"function":"require_once"}],"File":"/var/www/html/lib/private/Security/Crypto.php","Line":162,"message":"Could not decrypt or decode encrypted session data","exception":[],"CustomMessage":"Could not decrypt or decode encrypted session data"},"id":"68380727aa98f"}
{"reqId":"D7PGk1RgJHmaPfwHSpuX","level":2,"time":"2025-05-29T03:27:05+00:00","remoteAddr":"37.129.162.200","user":"--","app":"core","method":"GET","url":"/index.php/avatar/majan/42?","message":"Login failed: 'majan' (Remote IP: '37.129.162.200')","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.31.1","version":"31.0.5.1","data":{"app":"core"},"id":"68380727aa2f4"}

Steps to replicate it (hint: details matter!):

  1. Deploy Nextcloud 31.0.5.1 via Docker Compose with default session and Redis configuration.
  2. Create multiple user accounts.
  3. Log in to the web interface as any of the created users.
  4. Use Nextcloud normally (browse Files, open apps). After some time or after navigating around, you will be logged out and see a “Session Error.”
  5. Attempt to log back in: you may have to refresh the login page 2–3 times before it accepts your credentials again. In some cases you will immediately be logged out again and must clear your browser cache to restore a stable session.

Log entries

Nextcloud

https://bin.hirad.it/nhRvGpc3

Configuration

Nextcloud

https://bin.hirad.it/c8SOCFRU

Apps

https://bin.hirad.it/9aiLBuGn

Docker Compose

Nextcloud

https://bin.hirad.it/ffFhmMtl

Nginx Proxy Manager

https://bin.hirad.it/649PZ7zO

Nginx Proxy Manager Config


Disable NPM’s Cache Assets. It’s not designed for this use-case and will cause this behavior.

1 Like