XF 2.1 Not remembering two-step verification sessions

iGee

Member
Hello,

I have Cloudflare setup with my XenForo forum, with these settings enabled:

AutoMinify: HTML, CSS, Javascript
Rocket Loader: Enabled
Browser Cache TTL: 30 minutes
Security Level: Low
Cache Level: Ignore Query String

When a user logs in, and passes the two-step verification process (and ticks trust for 30 days). If they then log out and back in shortly after, it will prompt for two-step verification again.

Is there anything that could be affecting why XenForo isn't remembering the verification for 30 days?

Thanks for your help,
 

OperaManiac

Well-known member
i have rocket loader disabled (a lot of folks here have said that it causes problem with xenforo). i also have cache level set to standard (i believe it is a bad idea to ignore query string on xenforo as xenforo seems to use it to update css and other stuff). rest same. no problems here.
 

iGee

Member
i have rocket loader disabled (a lot of folks here have said that it causes problem with xenforo). i also have cache level set to standard (i believe it is a bad idea to ignore query string on xenforo as xenforo seems to use it to update css and other stuff). rest same. no problems here.
I've just disabled rocket loader and changed my cache setting. But it's still doing it?

Is it because I've logged into one account with two factor enabled, then logged out and logged in with a different account with two factor enabled as well on the same PC? Does it only allow one IP per account for two factor verification? I don't see why that would be a problem though.
 

OperaManiac

Well-known member
i am guessing your cookies are completely overwritten when you login with another user on the same browser? to check for ip specific thing, you can always do it on a second browser and see if that could be the reason? this is assuming you are doing it on the same browser!
 

iGee

Member
You're correct, it works when I use a different browser. It's weird that it overwrites my cookies. Do you know why this is?

I was using Google Chrome for both accounts, but using Chrome and Safari with the two different accounts work.
 

OperaManiac

Well-known member
makes sense. it is going to use same cookie parameters for all logins. so when you login with user2, it would overwrite all the cookies created for user1 including those for 2fa. i assume it does not clean 2fa specific cookies when you simply logout which is why you don't have to do 2fa if you logout and login within the 30 day period.

i am not sure if 2fa settings of user1 would be preserved if user2 is not using 2fa.

----

now that the issue is resolved, you might want to revert the cloudflare settings. assuming rocket loader and ignore query string settings were not causing issues for you!
 
Top