From c46f4a76427621add9c03342cf9dc62fc256441d Mon Sep 17 00:00:00 2001 From: Sandro Lain Date: Sun, 25 Jan 2026 10:36:08 +0100 Subject: [PATCH 1/2] Fix remember cookie creation after second factor authentication --- src/Auth.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Auth.php b/src/Auth.php index 6b5ff65..bd0ec01 100644 --- a/src/Auth.php +++ b/src/Auth.php @@ -964,13 +964,17 @@ public function provideOneTimePasswordAsSecondFactor($otpValue) { ]); if (!empty($userData)) { + // preserves session variable values ​​before reset the session via onLoginSuccessful + $sessionUserId = $_SESSION[self::SESSION_FIELD_AWAITING_2FA_USER_ID]; + $sessionRememberDuration = $_SESSION[self::SESSION_FIELD_AWAITING_2FA_REMEMBER_DURATION]; + $this->onLoginSuccessful( $_SESSION[self::SESSION_FIELD_AWAITING_2FA_USER_ID], $userData['email'], $userData['username'], $userData['status'], $userData['roles_mask'], $userData['force_logout'], false ); if (isset($_SESSION[self::SESSION_FIELD_AWAITING_2FA_REMEMBER_DURATION])) { $this->createRememberDirective( - $_SESSION[self::SESSION_FIELD_AWAITING_2FA_USER_ID], $_SESSION[self::SESSION_FIELD_AWAITING_2FA_REMEMBER_DURATION] + $sessionUserId, $sessionRememberDuration ); } From 436087dfef5c37feb8b375177291625acf925a5b Mon Sep 17 00:00:00 2001 From: Sandro Lain Date: Sun, 25 Jan 2026 10:45:28 +0100 Subject: [PATCH 2/2] Change 2FA remember duration check to use empty() --- src/Auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Auth.php b/src/Auth.php index bd0ec01..86d0a8c 100644 --- a/src/Auth.php +++ b/src/Auth.php @@ -972,7 +972,7 @@ public function provideOneTimePasswordAsSecondFactor($otpValue) { $_SESSION[self::SESSION_FIELD_AWAITING_2FA_USER_ID], $userData['email'], $userData['username'], $userData['status'], $userData['roles_mask'], $userData['force_logout'], false ); - if (isset($_SESSION[self::SESSION_FIELD_AWAITING_2FA_REMEMBER_DURATION])) { + if (!empty($sessionRememberDuration)) { $this->createRememberDirective( $sessionUserId, $sessionRememberDuration );