login explicitly

core/Controller/LoginController.php

@@ -190,6 +190,9 @@ class LoginController extends Controller {
 			$args = !is_null($user) ? ['user' => $user] : [];
 			return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args));
 		}
+		// TODO: remove password checks from above and let the user session handle failures
+		// requires https://github.com/owncloud/core/pull/24616
+		$this->userSession->login($user, $password);
 		$this->userSession->createSessionToken($this->request, $loginResult->getUID(), $password);
 
 		if ($this->twoFactorManager->isTwoFactorAuthenticated($loginResult)) {

lib/private/Setup.php

@@ -371,6 +371,7 @@ class Setup {
 			$userSession = \OC::$server->getUserSession();
 			$defaultTokenProvider = \OC::$server->query('OC\Authentication\Token\DefaultTokenProvider');
 			$userSession->setTokenProvider($defaultTokenProvider);
+			$userSession->login($username, $password);
 			$userSession->createSessionToken($request, $username, $password);
 
 			//guess what this does

lib/private/User/Session.php

@@ -397,16 +397,13 @@ class Session implements IUserSession, Emitter {
 			return false;
 		}
 		$name = isset($request->server['HTTP_USER_AGENT']) ? $request->server['HTTP_USER_AGENT'] : 'unknown browser';
-		$loggedIn = $this->login($uid, $password);
-		if ($loggedIn) {
 		try {
 			$sessionId = $this->session->getId();
 			$this->tokenProvider->generateToken($sessionId, $uid, $password, $name);
 		} catch (SessionNotAvailableException $ex) {
 
 		}
-		}
-		return $loggedIn;
+		return true;
 	}
 
 	/**