Login loop in google chrome and using subdomain

Steps to reproduce

  1. Navigate via Chrome to https://cloud.example.de
  2. Log-In with correct credentials

Expected behaviour

The Login succeeds and I get to my files.

Actual behaviour

The webpage reloads, without any warning or error. Just the URL has changed from https://cloud.example.de/index.php/login to https://cloud.example.de/index.php/login?redirect_url=%252Findex.php%252Fapps%252Ffiles%252F and I am promted to login again.

If I use Firefox this problem does not occure. I already tried to clear cache and cookies.

However, when I use the URL https://example.de/owncloud I don’t have issues with Chrome. See vhost config at the bottom.

Server configuration

Operating system: Debian 10

Web server: Apache/2.4.38

Database: 10.3.27-MariaDB-0+deb10u1 Debian 10

PHP version: PHP 7.3.27-1~deb10u1

ownCloud version: (see ownCloud admin page) 10.7.0.4

Updated from an older ownCloud or fresh install: Fresh install

Where did you install ownCloud from: Original sources (no apt package)

Signing status (ownCloud 9.0 and above): No errors have been found.

The content of config/config.php:

https://pastebin.com/KSakkGF4

List of activated apps:

https://pastebin.com/zLtRgDJt

Are you using external storage, if yes which one: No

Are you using encryption: yes

Are you using an external user-backend, if yes which one: No

Client configuration

Browser: Google-Chrome Version 91.0.4472.77 (Offizieller Build) (64-Bit)

Operating system: Windows 10

Logs

Web server error log

[Mon Jun 07 15:12:29.081996 2021] [ssl:warn] [pid 13097] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jun 07 15:12:29.185169 2021] [ssl:warn] [pid 13098] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jun 07 15:12:29.191612 2021] [mpm_prefork:notice] [pid 13098] AH00163: Apache/2.4.38 (Debian) OpenSSL/1.1.1d configured -- resuming normal operations
[Mon Jun 07 15:12:29.191665 2021] [core:notice] [pid 13098] AH00094: Command line: '/usr/sbin/apache2'
[Mon Jun 07 16:01:26.392560 2021] [mpm_prefork:notice] [pid 13098] AH00169: caught SIGTERM, shutting down
[Mon Jun 07 16:01:26.502306 2021] [ssl:warn] [pid 13454] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jun 07 16:01:26.602136 2021] [ssl:warn] [pid 13455] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jun 07 16:01:26.608672 2021] [mpm_prefork:notice] [pid 13455] AH00163: Apache/2.4.38 (Debian) OpenSSL/1.1.1d configured -- resuming normal operations
[Mon Jun 07 16:01:26.608732 2021] [core:notice] [pid 13455] AH00094: Command line: '/usr/sbin/apache2'
[Mon Jun 07 16:25:40.331635 2021] [mpm_prefork:notice] [pid 13455] AH00169: caught SIGTERM, shutting down
[Mon Jun 07 16:25:40.437770 2021] [ssl:warn] [pid 14042] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jun 07 16:25:40.540968 2021] [ssl:warn] [pid 14044] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jun 07 16:25:40.547175 2021] [mpm_prefork:notice] [pid 14044] AH00163: Apache/2.4.38 (Debian) OpenSSL/1.1.1d configured -- resuming normal operations
[Mon Jun 07 16:25:40.547226 2021] [core:notice] [pid 14044] AH00094: Command line: '/usr/sbin/apache2'
[Mon Jun 07 16:28:32.020254 2021] [mpm_prefork:notice] [pid 14044] AH00169: caught SIGTERM, shutting down
[Mon Jun 07 16:28:32.118025 2021] [ssl:warn] [pid 14089] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jun 07 16:28:32.213198 2021] [ssl:warn] [pid 14090] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jun 07 16:28:32.220638 2021] [mpm_prefork:notice] [pid 14090] AH00163: Apache/2.4.38 (Debian) OpenSSL/1.1.1d configured -- resuming normal operations
[Mon Jun 07 16:28:32.220682 2021] [core:notice] [pid 14090] AH00094: Command line: '/usr/sbin/apache2'
[Mon Jun 07 16:40:43.964676 2021] [mpm_prefork:notice] [pid 14090] AH00169: caught SIGTERM, shutting down
[Mon Jun 07 16:40:44.063677 2021] [ssl:warn] [pid 14250] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jun 07 16:40:44.155973 2021] [ssl:warn] [pid 14252] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jun 07 16:40:44.162249 2021] [mpm_prefork:notice] [pid 14252] AH00163: Apache/2.4.38 (Debian) OpenSSL/1.1.1d configured -- resuming normal operations
[Mon Jun 07 16:40:44.162286 2021] [core:notice] [pid 14252] AH00094: Command line: '/usr/sbin/apache2'
[Mon Jun 07 17:08:14.973740 2021] [authz_core:error] [pid 14256] [client ***REMOVED***:1032] AH01630: client denied by server configuration: /var/www/owncloud/data/htaccesstest.txt
[Mon Jun 07 17:10:34.457405 2021] [authz_core:error] [pid 14346] [client ***REMOVED***:1028] AH01630: client denied by server configuration: /var/www/owncloud/data/htaccesstest.txt

ownCloud log (data/owncloud.log)

{"reqId":"L0gev0ah9G99ayB2zsqn","level":3,"time":"2021-06-01T13:30:46+00:00","remoteAddr":"***myclient***","user":"--","app":"PHP","method":"POST","url":"\/owncloud\/index.php","message":"Undefined index: dbconnectionstring at \/var\/www\/owncloud\/lib\/private\/Setup\/AbstractDatabase.php#82"}
{"reqId":"L0gev0ah9G99ayB2zsqn","level":3,"time":"2021-06-01T13:30:46+00:00","remoteAddr":"***myclient***","user":"--","app":"mysql.setup","method":"POST","url":"\/owncloud\/index.php","message":"Specific user creation failed: An exception occurred while executing 'SELECT user FROM mysql.user WHERE user=?' with params [\"oc_jkleefeld\"]:\n\nSQLSTATE[42000]: Syntax error or access violation: 1142 SELECT command denied to user 'owncloud'@'localhost' for table 'user'"}
{"reqId":"oD7JoPEQHy5UclE9nMOX","level":2,"time":"2021-06-01T20:49:51+00:00","remoteAddr":"***myclient***","user":"jkleefeld","app":"files_antivirus","method":"PUT","url":"\/owncloud\/remote.php\/dav\/files\/jkleefeld\/eicar_com.zip","message":"Infected file deleted. Win.Test.EICAR_HDB-1 Account: jkleefeld Path: files\/eicar_com.zip.ocTransferId1080783043.part"}
{"reqId":"oD7JoPEQHy5UclE9nMOX","level":2,"time":"2021-06-01T20:49:51+00:00","remoteAddr":"***myclient***","user":"jkleefeld","app":"core","method":"PUT","url":"\/owncloud\/remote.php\/dav\/files\/jkleefeld\/eicar_com.zip","message":"ignoring lock release with type 1 for files\/ba11e692cb6efdb72726036db22e84fc. Lock hasn't been acquired before"}
{"reqId":"7e91e573-be0e-4555-a2c0-255ce0616608","level":2,"time":"2021-06-07T12:10:04+00:00","remoteAddr":"***REMOVED***","user":"--","app":"core","method":"PROPFIND","url":"\/remote.php\/dav\/files\/jan.kleefeld\/","message":"Login failed: 'jan.kleefeld' (Remote IP: '***REMOVED***')"}
{"reqId":"7d0bed04-aeaa-4d4f-8657-40579a7c18b3","level":2,"time":"2021-06-07T12:11:23+00:00","remoteAddr":"***REMOVED***","user":"--","app":"core","method":"PROPFIND","url":"\/owncloud\/remote.php\/webdav\/","message":"Login failed: 'Jan.Kleefeld' (Remote IP: '***REMOVED***')"}

Browser log

a) The javascript console log: https://www.bilder-upload.eu/upload/05bd3c-1623081260.png

b) The network log https://www.bilder-upload.eu/upload/773189-1623081296.png

Apache vHosts

/sites-enabled/owncloud.conf
<VirtualHost *:80>
        
	ServerName cloud.example.de
    ServerAdmin webmaster@example.de       
	
	DocumentRoot /var/www/owncloud/
    
	RewriteEngine On
	RewriteCond %{HTTPS} off
	RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]	

	<Directory /var/www/owncloud/>
        Options +FollowSymlinks
		AllowOverride All

		<IfModule mod_dav.c>
			 Dav off
		</IfModule>

		SetEnv HOME /var/www/owncloud
		SetEnv HTTP_HOME /var/www/owncloud
    </Directory>

</VirtualHost>

<VirtualHost *:443>
    ServerName cloud.example.de
    ServerAdmin webmaster@example.de      
	
	DocumentRoot /var/www/owncloud/
	
	## Custom config {
    SSLProtocol -ALL +TLSv1.2 +TLSv1.3
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
	
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"        

	##}
	
	<Directory /var/www/owncloud/>
  		Options +FollowSymlinks
 		AllowOverride All

 		<IfModule mod_dav.c>
 			 Dav off
 		</IfModule>

 		SetEnv HOME /var/www/owncloud
 		SetEnv HTTP_HOME /var/www/owncloud
	</Directory>

</VirtualHost>
/sites-enabled/000-default.conf
<VirtualHost *:80>

	ServerName example.de
	ServerAdmin webmaster@example.de
	
	DocumentRoot /var/www/
	
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
/sites-enabled/default-ssl.conf
<IfModule mod_ssl.c>
	<VirtualHost *:443>
	
		ServerName example.de
		ServerAdmin webmaster@example.de

		DocumentRoot /var/www/

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		SSLEngine on
		SSLCertificateFile	/etc/letsencrypt/live/example.de/cert.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/example.de/privkey.pem
		SSLCertificateChainFile /etc/letsencrypt/live/example.de/fullchain.pem
		SSLProtocol -ALL +TLSv1.2 +TLSv1.3
		SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM 		
		
		Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>

	</VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Thank you in advance.

I have found a workaround. Turn off chrome://flags/#schemeful-same-site.
But that is not recommended and this is a security feature. See:

“One of the main reasons for the change to SameSite=Lax as the default for cookies was to protect against Cross-Site Request Forgery (CSRF). However, insecure HTTP traffic still presents an opportunity for network attackers to tamper with cookies that will then be used on the secure HTTPS version of the site. Creating this additional cross-site boundary between schemes provides further defense against these attacks.” - https://web.dev/schemeful-samesite/?utm_source=devtools

But why is this a problem though? My webserver is fully accessible via https TLSv1.3. Does that mean I have to disable the port 80? I think this is not ideal, because I want the users to just browse to the url and get automaticly forwarded to https if needed…

edit:

It’s me again following settings in config/config.php did the trick:

‘forcessl’ => true,
‘forceSSLforSubdomains’ => true,
‘overwriteprotocol’ => ‘https’,

Maybe some of you run in the same issue, here is one possible solution.