You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 2, 2021. It is now read-only.
Description
Once prepareAuthentication() is called for the first time, the firewall/provider combination is recorded under the 2fa_called_providers session key; however, it is never removed after a successful authentication.
If you log out and back in, the 2FA form is displayed but no code is generated/sent out because prepareAuthentication() is not called again due to the presence of the 2fa_called_providers session value from the previous login.
Is the intention for the user to re-use the previous auth code?
Additional Context
I'm using a custom provider, but I don't think that makes any difference. From what I can see, the TwoFactorProviderPreparationRecorder class contains methods for checking if a provider is prepared and recording that a provider is prepared, but nothing for "un-preparing" them.
The text was updated successfully, but these errors were encountered:
Are you sure about this? To my knowledge, when you log out, the session is terminated. So you start with a fresh new session, that therefore doesn't have the session attribute set.
Ah hah, I have invalidate_session set to false in my firewall config. I'll have to investigate why we have it set like this. I can add a logout event subscriber to unset the value if I need to…
Bundle version: 4.18.1
Symfony version: 3.4.43
Description
Once
prepareAuthentication()
is called for the first time, the firewall/provider combination is recorded under the2fa_called_providers
session key; however, it is never removed after a successful authentication.If you log out and back in, the 2FA form is displayed but no code is generated/sent out because
prepareAuthentication()
is not called again due to the presence of the2fa_called_providers
session value from the previous login.Is the intention for the user to re-use the previous auth code?
Additional Context
I'm using a custom provider, but I don't think that makes any difference. From what I can see, the
TwoFactorProviderPreparationRecorder
class contains methods for checking if a provider is prepared and recording that a provider is prepared, but nothing for "un-preparing" them.The text was updated successfully, but these errors were encountered: