Login (2FA): keep me logged in not respected

Technical Issue Reporting
#1

Summary

When logging in using 2FA with ā€œKeep me logged inā€ the session still expires. Iā€™m not sure if this is limited to 2FA as I donā€™t have a non-2FA account to test with.

Steps to reproduce

  1. Go to /login
  2. Enter credentials for an account with 2FA enabled
  3. Check the ā€œKeep me logged inā€ and ā€œnot a robotā€ boxes
  4. Press the ā€œLog inā€ button
  5. Enter 2FA code
  6. Go do other stuff and come back at least an hour later
  7. Refresh the page or perform some other action

Current Behavior

The app is redirected to login page

Expected behavior

The session is still valid (login not required).

Possible solutions

The ā€œkeep me logged inā€ flag may not be passed along when creating the new JWT after verifying the 2FA code.

1 Like