From 45758769788c8ce877967c115822f8699009ba7d Mon Sep 17 00:00:00 2001
From: "Simon L." <szaimen@e.mail.de>
Date: Mon, 16 Mar 2026 11:54:10 +0100
Subject: [PATCH] fix(initializeSession): only log HMAC problem to critical
 logs if indeed critical

Signed-off-by: Simon L. <szaimen@e.mail.de>
---
 lib/private/Security/Crypto.php           | 2 +-
 lib/private/Session/CryptoSessionData.php | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/private/Security/Crypto.php b/lib/private/Security/Crypto.php
index 39ce5e89aebcb..7bbeec9e291cc 100644
--- a/lib/private/Security/Crypto.php
+++ b/lib/private/Security/Crypto.php
@@ -159,7 +159,7 @@ private function decryptWithoutSecret(string $authenticatedCiphertext, string $p
 			}
 		} else {
 			if (!hash_equals($this->calculateHMAC($parts[0] . $parts[1], $hmacKey), $hmac)) {
-				throw new Exception('HMAC does not match.');
+				throw new \RuntimeException('HMAC does not match.');
 			}
 		}
 
diff --git a/lib/private/Session/CryptoSessionData.php b/lib/private/Session/CryptoSessionData.php
index 323253af534c7..5c461cd796067 100644
--- a/lib/private/Session/CryptoSessionData.php
+++ b/lib/private/Session/CryptoSessionData.php
@@ -72,6 +72,15 @@ protected function initializeSession() {
 					512,
 					JSON_THROW_ON_ERROR,
 				);
+			} catch (\RuntimeException $e) {
+				// Even though this might be critical in general, we are automatically trying again and will likely succeed.
+				// We only log to info to not spam the logs with a well-known problem the admin cannot do anything about.
+				// See https://github.com/nextcloud/server/issues/42157
+				logger('core')->info('Could not decrypt or decode encrypted session data', [
+					'exception' => $e,
+				]);
+				$this->sessionValues = [];
+				$this->regenerateId(true, false);
 			} catch (\Exception $e) {
 				logger('core')->critical('Could not decrypt or decode encrypted session data', [
 					'exception' => $e,