Trusted device option does not work
Unlik opened this issue · 4 comments
Hello. I have implemented 2FA without any troubles - just according to installation steps. I used google auth, Symfony 4.3.*. But the trusted device option does not work for me. If I used option in
scheb_two_factor.yaml:
trusted_device:
enabled: true
Plus other cookies settings. Then I got a checkbox to store a trusted device to the browser cookie. But no cookie is created. I have tried more combinations of settings in trusted_device section but no success. 2FA is always required.
Any other pieces of information which I can provide?
When you post the authentication code including the trusted device checkbox, this if statement must evaluate to true
:
And then you must end up in this line:
Finally, this if statement must be true
to set the cookie on the response.
Could you please check how far you reach?
Hello Christian.
I am able to reach all you suggested till
where setCookie statement is called, but no cookies appear in browser.
The cookie looks like:
TrustedCookieResponseListener.php on line 86:
Cookie^ {#638 ▼
#name: "trusted_device"
#value: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NzAyODU2OTIsImV4cCI6MTU3NTQ2OTY5MiwidXNyIjoicGV0ckB0b2lzbC5jeiIsImZ3bCI6Im1haW4iLCJ2c24iOjB9.pKOto37rqQSOj7wZHt ▶"
#domain: ".mim"
#expire: 1575469692
#path: "/"
#secure: false
#httpOnly: true
-raw: false
-sameSite: "lax"
-secureDefault: false
}
Hello Christian,
I do not know why, but the problem was with a domain name, in my case it must not start with a dot. Without a dot as prefix in the domain name the cookie is set well, with the dot not. But no idea why.
Is .mim
your domain in the the development environment? Then I can tell you what the issue is. The cookie domain with the preceeding dot (to make it available to all sub-domains) only works on second level domains, such as .example.org
, or lower. Otherwise you could set a cookie for an entire top level domain, for example .com
, and every .com domain would have access to your cookie. Browsers reject such a cookie for obvious reasons.