As designed "Trust this device for 30 days" but...

[TickTackk]

Affected version

2.2.1

    public function setDeviceTrusted($userId)
    {
        /** @var \XF\Repository\UserTfaTrusted $tfaTrustRepo */
        $tfaTrustRepo = $this->repository('XF:UserTfaTrusted');
        $key = $tfaTrustRepo->createTrustedKey($userId);

        $this->app->response()->setCookie('tfa_trust', $key, 45 * 86400, null, true);

        return $key;
    }

That sets cookie to 45 days.

Edit: The token can be valid from 30-34 days so saving the cookie for 45 doesn't make sense.

 

[Mike]

As it stands, this is as designed. First, as noted, there's variation in how long we actually trust the device for (which is also intentional; it's mentioned in the code, but it is to avoid a situation where devices expire at the same time). The cookie time is set a step above the maximum to reduce the chance of a situation where the cookie expires before the key does (especially if we adjust these window sizes).

More theoretical with the current code, but there can potentially be UX differences if we know that the device was trusted but needs to be verified compared to the device never being trusted (assuming they visit in a fairly reasonable window of time).