You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The user is able to bypass the TOTP page just by refreshing the page.
Issue:
The variable 'lastverified' is intended to track the time when the user last successfully verified the TOTP code. However, in the current code, 'lastverified' is set as soon as the user lands on the authentication page, which appears to be incorrect. 'lastverified' should only be set when the TOTP is successfully matched and verified. As a workaround, I have moved the code to set 'lastverified' within the authenticate.php file, under the section where the TOTP code is matched.
if ($code === $_REQUEST['code']) {
$now = time();
**$session->setData(
'\SimpleSAML\Module\simpletotp',
'lastverified',
$now,
Session::DATA_TIMEOUT_SESSION_END
);**
ProcessingChain::resumeProcessing($state);
} else {
$displayed_error = "You have entered the incorrect TOTP token.";
}
This needs to be fixed asap.
The text was updated successfully, but these errors were encountered:
The user is able to bypass the TOTP page just by refreshing the page.
Issue:
The variable 'lastverified' is intended to track the time when the user last successfully verified the TOTP code. However, in the current code, 'lastverified' is set as soon as the user lands on the authentication page, which appears to be incorrect. 'lastverified' should only be set when the TOTP is successfully matched and verified. As a workaround, I have moved the code to set 'lastverified' within the authenticate.php file, under the section where the TOTP code is matched.
This needs to be fixed asap.
The text was updated successfully, but these errors were encountered: