scheb/two-factor-bundle

Trusted device option does not work

Unlik opened this issue · 4 comments

Unlik commented

Hello. I have implemented 2FA without any troubles - just according to installation steps. I used google auth, Symfony 4.3.*. But the trusted device option does not work for me. If I used option in

scheb_two_factor.yaml:
trusted_device:
        enabled: true

Plus other cookies settings. Then I got a checkbox to store a trusted device to the browser cookie. But no cookie is created. I have tried more combinations of settings in trusted_device section but no success. 2FA is always required.
Any other pieces of information which I can provide?

scheb commented

When you post the authentication code including the trusted device checkbox, this if statement must evaluate to true:

https://github.com/scheb/two-factor-bundle/blob/master/Security/Http/Firewall/TwoFactorListener.php#L241-L243

And then you must end up in this line:

https://github.com/scheb/two-factor-bundle/blob/master/Security/TwoFactor/Trusted/TrustedDeviceManager.php#L32

Finally, this if statement must be true to set the cookie on the response.

https://github.com/scheb/two-factor-bundle/blob/master/Security/TwoFactor/Trusted/TrustedCookieResponseListener.php#L60

Could you please check how far you reach?

Unlik commented

Hello Christian.
I am able to reach all you suggested till

https://github.com/scheb/two-factor-bundle/blob/master/Security/TwoFactor/Trusted/TrustedCookieResponseListener.php#L86

where setCookie statement is called, but no cookies appear in browser.

The cookie looks like:

TrustedCookieResponseListener.php on line 86:
Cookie^ {#638 ▼
#name: "trusted_device"
#value: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NzAyODU2OTIsImV4cCI6MTU3NTQ2OTY5MiwidXNyIjoicGV0ckB0b2lzbC5jeiIsImZ3bCI6Im1haW4iLCJ2c24iOjB9.pKOto37rqQSOj7wZHt ▶"
#domain: ".mim"
#expire: 1575469692
#path: "/"
#secure: false
#httpOnly: true
-raw: false
-sameSite: "lax"
-secureDefault: false
}

Unlik commented

Hello Christian,
I do not know why, but the problem was with a domain name, in my case it must not start with a dot. Without a dot as prefix in the domain name the cookie is set well, with the dot not. But no idea why.

scheb commented

Is .mim your domain in the the development environment? Then I can tell you what the issue is. The cookie domain with the preceeding dot (to make it available to all sub-domains) only works on second level domains, such as .example.org, or lower. Otherwise you could set a cookie for an entire top level domain, for example .com, and every .com domain would have access to your cookie. Browsers reject such a cookie for obvious reasons.